Cisco ASR9000 Deployment Guide Series

Size: px

Start display at page:

Download "Cisco ASR9000 Deployment Guide Series"

Monica Stewart
6 years ago
Views:

1 Cisco ASR9000 Deployment Guide Series ASR9K BNG RADIUS and CoA deployment guide Part 1 Jun-2014 Roy Jiang(zhjiang@cisco.com) TME, HERO BU 1 of 237

2 Version 1.0 Executive summary 5 Acknowledgement 6 1. Chapter 1, ASR9K s RADIUS overview BNG relationship with RADIUS SERVER BNG RADIUS configuration task RADIUS attributes ASR9K BNG supported RADIUS attributes Cisco AVPair overview key explanations for Cisco AVPair for ASR9K BNG Chapter 2, how RADIUS/CoA attribute work on a session AAA attribute and RADUS attribute show downloaded RADIUS attribute debug command to display radius attributes debug command to display internal AAA attributes SADB - Subscriber Attribute Database SUBDB - Subscriber Database and session config handling session config from multiple sources including radius server Example of multi-source session config Chapter 3, Authentication and Authorization Terminology and fact Authentication 36 - PPPoE PTA session 37 - Web-logon for both PPPoE and IPoE session Authorization 37 - Transparent Auto-logon 37 - LAC authorization using domain name 37 - Service authorization Authenticated and authorised state Chapter 4, Attributes in Access-Request - report session information Manipulation of attributes - the principle IPoE session access-request PPPoE session access-reqeust Customising the attribute in access-request NAS-Port-Type AAA Attribute Format 54 2 of 237

3 4.4.3.Username NAS-Port-ID Called-Station-Id and Calling-Station-Id NAS-Port Cisco-AVPair remote-id-tag, cuicuit-id-tag and dhcpv6-interface-id 66 - DHCPv4 session 66 - DHCPv6 session 66 - PPPoE session Chapter 5, Attributes in Access-Accept - configure a session convention attributes usage in detail 69 No. 1 v4 unnumbered 69 No. 2 V4 pool for PPP 69 No. 3 V4 address for PPPoE PTA session 70 No. 4 V4 netmask for PPPoE PTA session 71 No. 5 V4 DNS server for PPP PTA 72 No. 6 IPv4 MTU for PPPoE PTA session 73 No. 8 v4 pool for DHCP 82 No. 9 - V4 address for DHCP session 84 No V4 netmask for DHCP session 87 No IPv4 MTU for DHCP triggered session 97 No vrf-id 98 No V4 ACL 99 No QoS policy-map 100 No Parameter QoS (P-QoS) 101 No session accounting list 105 No session accounting interim interval 106 No session accounting dual stack delay 107 No service accounting list 108 No Session-Timeout 109 No idle Timeout threshold and direction 110 No lawful intercept 111 No v4 urpf 112 No ipv4-icmp-unreachable 115 No double dip 117 No enable HTTP redirect 118 No DHCPv4 session limit 119 No DHCPv4 class 120 No class (IETF attribute 25) 125 No echo-string (Cisco AVpair) 127 No v6 enable 128 No V6 prefix for PPPoE PTA session using SLAAC 130 No V6 framed-interface-id for PPPoE PTA session using SLAAC of 237

4 No V6 framed-ipv6-pool for PPPoE PTA session using SLAAC 138 No Framed-ipv6-address for DHCPv6 for both PPPoE and IPoE 142 No Stateful-IPv6-Address-Pool for DHCPv6 for both PPPoE and IPoE 144 No Delegated-IPv6-prefix-Pool for DHCPv6 for both PPPoE and IPoE 146 No V6 DNS server for DHCPv6 for both PPPoE and IPoE 148 No DHCPv6 class 149 No v6 ACL 150 No ipv6-unreachable 151 No IPv6 urpf 152 No service-activate 155 No service-deactivate 160 No L2TP LAC/VPDN related attributes Chapter 6, CoA and PoD CoA/PoD overview restriction of ASR9K CoA/PoD implementation key component in a CoA message Session key (mandatory) CoA command(mandatory with some exception) RADIUS attributes (optional) session-BNG address mapping PoD ( DM) and different session key Example of a failed POD Example of PoD using acct-session-id as session key Example of PoD using framed-ip-address as session key Example of PoD using framed-ip-address plus AVPair vrf-id as session key Example of PoD using username as session key Account-logoff Example of basic CoA account-logoff Example of CoA account-logoff with explicit actions in control policy Account-logon Example of TAL + CoA account-logon Account-update Example of CoA account-update for interface session Service-Activate Example of Service-Activate failed to override the existing user-profile Example of a successful Service-Activate Service-Deactivate Example of a successful Service-Deactivate of 237

5 Executive summary The purpose of this document is to address the questions related to the use of RADIUS attribute in ASR9K BNG deployment, and help network engineers inside and outside of Cisco to deploy BNG easier, especially on the interoperation between ASR9K BNG and RADIUS backend system. How does ASR9K BNG work with the radius server/coa client for AAA? What s the call Plow for each step of ASR9K- AAA communication? What does the typical radius/coa message look like? What attributes are supposed to be in what message? What s the supported IETF/Cisco vender specipic attribute in the ASR9K BNG. What s the different between IOS and IOS XR regarding radius implementation? What s the correct format for each attribute? To complement a specipic task, what attributes are needed? Anything else need to know about the AAA? This document could be used as a complementary document to the Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway ConPiguration Guide published on This is the part 1 of this document, focusing on the Authentication, Authorization and CoA/PoD. Part 2 will focus on Accounting. For more useful external ASR9000 BNG technical articles, please visit bng- links 5 of 237

6 Acknowledgement Thanks for Xander Thuijs Engineer from Cisco HERO BU Deployment and escalation team and Anil Kuriakose Technical Leader from Cisco NOSTG Broadband team, and other DEs from NOSTG Broadband team. It s not possible to have this Doc done without their great help and support. 6 of 237

1. Chapter 1, ASR9K s RADIUS overview 1.1. BNG relationship with RADIUS SERVER ASR9K BNG acts as a policy enforcement point in the network, it works via two northern bound interfaces, RADIUS and COA,

7 1. Chapter 1, ASR9K s RADIUS overview 1.1. BNG relationship with RADIUS SERVER ASR9K BNG acts as a policy enforcement point in the network, it works via two northern bound interfaces, RADIUS and COA, with external backend system for subscriber management. Northbound Interfaces AAA Server Subscriber Policy Layer Policy Server Web Portal DHCP Server Internet/Core Guest Portal Open Garden Video Audio Servers Walled Garden RADIUS Interface, for subscriber AAA functionalities and service download RADIUS Extensions (RFC 3576) Open Interface, for dynamic, administrator or subscriber driven, session and service management functions Policy PULL Policy PUSH Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 117 ASR9K works with AAA in two ways. 1, BNG is a RADIUS client, sending radius request to a external RADIUS server(pull mode). Following actions are under this model. Authentication for session or service Authorization for session or service Accounting for session or service 7 of 237

8 RADIUS Interface Access Request Access Request Access Accept Access Reject Access Challenge AAA Server Policy PULL Access Request is used for Session Authentication Session Authorization Service Profile Download Access Accept is used to return Credential Verification Notification User profile and associated services Service Profile Download Access Reject is used for Credential Verification Failure Notification Access Challenge is used for PPP CHAP Authentication Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 118 RADIUS Interface Accounting Request Accounting Request Accounting Response AAA Server Policy PULL Accounting Request Start is used to signal Session Start Accounting Request Stop is used to signal Session Termination Accounting Request Interim is used to Provide interval counters Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential of 237

2, BNG is a COA server, receiving COA request from a external COA client.(push mode) Following actions are under this model. Account- logon Account- logoff (also known as PoD or MS) Account- update.

9 2, BNG is a COA server, receiving COA request from a external COA client.(push mode) Following actions are under this model. Account- logon Account- logoff (also known as PoD or MS) Account- update. Service- activate Service- deactivate RADIUS Interface Extensions Policy PUSH CoA Request CoA ACK CoA NAK Policy Server (CoA) ASR9000 supports RADIUS Extensions as defined in RFC3576 Facilitates dynamic session control from a Policy server. Standard primitives include: Disconnect Messages (DM or aka as PoD) Change of Authorization (CoA) Proprietary CoA Extensions: Account Logon Account Logoff Account Update Service Activate Service De-activate Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential of 237

10 1.2. BNG RADIUS configuration task To enable an ASR9K BNG to work together with external RADIUS server/coa client, you need to complete following basic conpiguration on ASR9K. Also, you need to do some basic conpiguration in radius server/coa client accordingly. Information needed to be conpigured on both sides and match each other. For radius - Radius client/server IP address - UDP Port used for authentication and accounting - Share key For COA - COA client/server IP address - UDP Port used for COA communication - Share key Here is an basic AAA conpiguration as an example. radius-server host auth-port 1812 acct-port 1813 key 7 110A D5A5E57 radius-server host auth-port 1812 acct-port 1813 key 7 104D000A F aaa server radius dynamic-author port 1700 client vrf default server-key E1D aaa group server radius S99_GRP1 server auth-port 1812 acct-port 1813 source-interface MgmtEth0/RSP0/CPU0/0 aaa group server radius S99_GRP2 server auth-port 1812 acct-port 1813 source-interface Loopback99 aaa accounting subscriber S99_AAA_list broadcast group S99_GRP1 group S99_GRP2 10 of 237

11 aaa authorization subscriber S99_AAA_list group S99_GRP1 group S99_GRP2 aaa authentication subscriber S99_AAA_list group S99_GRP1 group S99_GRP RADIUS attributes ASR9K BNG supported RADIUS attributes There is a list of supported radius attribute in the section of RADIUS attributes of Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway ConPiguration Guide. You can Pind the latest version here conpiguration/guide/b- bng- cg52xasr9k/b- bng- cg52xasr9k_appendix_01001.html#reference_f61e65b1915c49d5b1c402b951 3D355D (some supported attributes are missing in the above document but will be explained in this deployment guide). Unfortunately, above document only tells what attributes are supported, but it dose not explain what attributes are supposed to be in what radius message, or what information will be carried by what attribute, or how to build the user- propile to use those attributes to achieve a certain session conpiguration Cisco AVPair overview Besides supporting most of the IETF radius attributes, Cisco ASR9K BNG uses cisco VSA to achieve many goals. 11 of 237

12 Cisco VSA always started with type 26, and vendor- id 9, followed by various of string. Among the Cisco VSA, Cisco AV- pair is the most popular format for ASR9K to use to communicate to the RADIUS server or CoA client. Cisco AV- pair is the Cisco VSA with vendor type 1,which is a cleartext AV- Pair. Besides the Cisco- AVpair with Vendor type 1, there are other Cisco VSA with vendor type from 2 to other 255, but ASR9K BNG does not use them as of now, with the known exception of Cisco VSA Cisco- NAS- Port (with vendor type 2) used in access- request and accounting- request, and Subscriber- Password. (with vendor type 249) used in CoA request to carry the encrypted password. Regarding Cisco- AVPair, under the same format(type 26, vendor- Id 9, vendor type 1),there could be different string in the attribute- specipic part(string is the 12 of 237

13 only supported type). In this way we can use Cisco- AVpair to present different Attribute=Value straight- forwardly. The attribute- specipic string could be divided to 3 parts. For example Cisco- Avpair = "protocol:attribute=value" Cisco- avpair = "ip:ipv4- mtu=1480" to specify ipv4 mtu to 1480 Cisco- avpair = "ip:addr- pool=pppoe_pool2" to specify the name of the ip pool to pppoe_pool2 To better understand how Cisco- AVPair works, following are an example how to construct an user propile in the users.conf Pile in a FreeRADIUS server, and the accordingly radius packet captured and displayed in wireshark. User profile in radius server User@domain.com Auth-Type := Local, User-Password == "cisco" Cisco-avpair = "ip:ipv4-mtu=1480", Cisco-avpair += "ip:ipv4-unnumbered=loopback222", Cisco-avpair += "ip:addr-pool=pppoe_pool2" 13 of 237

Radius packet decoding 1.3.3.key explanations for Cisco AVPair for ASR9K BNG Here are some things need to highlight regarding the Cisco AV- Pair.

14 Radius packet decoding key explanations for Cisco AVPair for ASR9K BNG Here are some things need to highlight regarding the Cisco AV- Pair. - In a single radius message, there may be more than one Cisco- Avpair( they share the same format - type 26, vendor- Id 9, vendor type 1) included,so the radius server need to support including multiple VSA with same type in the same message. - The protocol part before the colon in Cisco- AVpair will be ignored by IOS XR BNG implementation(but the protocol part is meaningful under IOS). For the sake of compatibility, it s OK to keep the protocol part in Cisco- AVpair depined in the existing backend system. For instance, for ASR9K BNG, following Cisco- AVpair are equivalent to each other. Cisco- avpair = ip:ipv4- unnumbered=loopback222 Cisco- avpair = ipv4- unnumbered=loopback222 Cisco- avpair = ipv4:ipv4- unnumbered=loopback of 237

15 - Not all of the Cisco- AVpair supported by IOS based BRAS/ISG get supported by IOS XR based BNG implementation. An unsupported Cisco AV- Pair or VSA from other vendor in a access- accept would cause the failure of session establishment and marked as PAP failed although the BNG get an access- accept from radius server. In following case, there is a Cisco- avpair = wins- server= " in the access- accept which is not supported by BNG. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber manager disconnect- history Tue May 6 16:17: UTC Location: 0/RSP0/CPU0 [ IEDGE DISCONNECT HISTORY LAST SESSIONS ] Disconnect Reason: PAP Authentication failed Disconnect Cause: AAA_DISC_CAUSE_DEFAULT (0) Abort Cause: AAA_AV_ABORT_CAUSE_PPP_PAP_FAIL (25) Terminate Cause: AAA_AV_TERMINATE_CAUSE_USER_ERROR (17) Time Disconnected: 2014:05:06 16:13:05 Client: Subscriber Label: Interface: [ Session Info ] ppp_ma 0x d BE pppoe1555 Interface: Unknown Circuit ID: Unknown Remote ID: Unknown Type: PPPoE IPv4 State: Up Pending, Tue May 6 16:13: IPv6 State: Up Pending, Tue May 6 16:13: Mac Address: 3c07.545f.c041 Account- Session Id: Nas- Port: User name: PPP_SUPER@S99 Outer VLAN ID: 101 Inner VLAN ID: 99 Subscriber Label: 0x d Created: Tue May 6 16:13: State: Connected Authentication: unauthenticated Authorization: unauthorized Ifhandle: 0x0000af20 Session History ID: 0 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Tue May 6 16:13: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_LCP [cerr: No error][aaa: Success] event Session- Activate match- first [at Tue May 6 16:13: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 authenticate aaa list S99_AAA_list [cerr: 'AAA_BASE' detected the 'fatal' condition 'Bad response or attribute not defined'][aaa: Error] last 15 of 237

16 Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA: None Services: Name : S99_DT_LCP Service- ID : 0x400003b Type : Template Status : Applied [Event History] May 6 16:13: SUBDB produce done To prevent this from happened, a CLI could be used. radius-server vsa attribute ignore unknown - Some Cisco- AVpair is exchangeable to some IETF standard attribute or adsl- vsa, another words, it is identical to use a Cisco- AVPair or an IETF standard attribute to achieve a certain goal when applicable. Following example shows that you can use either a Cisco- AVpair or an IETF attribute to specify the ipv4 pool from which an IPv4 address is assigned to a session. IETF standard attribute: Framed-IP-Pool = pppoe_pool2 Cisco- AVpair: Cisco-avpair = ip:addr-pool=pppoe_pool2 - There is a way to use CLI to display the radius attributes downloaded to a session upon authentication/authorization as part of the user- propile, but you may Pind that the name of the attribute displayed by CLI is not identical to the name of the radius attribute depined in the radius server. The reason is that the CLI displayed AAA attributes are internal named, to which one or more 16 of 237

17 RADIUS attributes are mapping. That fact also explains why we can use either a cisco- AVPair or a IETF attributes to Pill the same AAA attribute in some case. For example IETF standard attribute:framed- IP- Pool = S99_POOL_PPPV4_VRF or Cisco- AVpair:Cisco- avpair = ip:addr- pool= S99_POOL_PPPV4_VRF is mapping(or translated) to internal aaa attribute addr- pool with value S99_POOL_PPPV4_VRF when you issue the CLI show subscriber session all detail internal, you get following display. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all detail internal Mon May 5 11:22: UTC Interface: Bundle- Ether pppoe1520 display snippet User Profile received from AAA: Attribute List: 0x500f9ff0 1: ipv4- unnumbered len= 12 value= Loopback1199 2: addr- pool len= 18 value= S99_POOL_PPPV4_VRF 3: ip- vrf len= 7 value= S99_VRF. 2. Chapter 2, how RADIUS/CoA attribute work on a session 17 of 237

18 2.1.AAA attribute and RADUS attribute Here the term of AAA attribute is not identical to the RADIUS attribute. AAA Attribute has been depined internally in the BNG implementation essentially, for the purpose of session identity or conpiguration. Roughly speaking there are two kinds of AAA attribute. - Identity/credential attributes, for example, username, password, pppoe- session- id,client- mac- address, physical- port etc. - Con?iguration attribute, for example, inacl, outacl, addr, primary- dns etc. The information of identity/credential AAA attributes are normally extracted from other source and may be translated to radius attributes which are included in the radius access- request or accounting- request message to report to external RADIUS server. On the contrary, the conpiguration AAA attributes normally come from CLI (dynamic- template) or external RADIUS server on reception of an access- accept message during authentication or CoA request. BNG will parse the radius attribute, build the AAA attributes accordingly and store them in somewhere for other usage, such as building the conpiguration block of a session. Every supported radius attribute( standard of VSA) has an AAA attributes to map to, but please be noted that not all of the AAA attributes will be communicated from/to an external RADIUS server, hence, not all of the AAA attributes has a 1:1 mapping radius attribute. For example, there is an AAA attribute called if- handle, which is an internal information only used by other process/component, and it is not reported to radius server since RADIUS server do not need or understand this kind of information. Essentially, AAA attributes are the internal data structures, and radius attributes are the containers of information from/to external RADIUS server. RADIUS attributes sent to RADIUS server are retrieved from AAA attributes, and the 18 of 237

19 radius attributes download from external RADIUS server are interpreted to AAA attributes to store in the database on the BNG and used by other components. The reason why it s needed to explain the difference and relationship between AAA attributes and RADIUS attributes is that some of the debug/show display present only AAA attributes. This may make people confused, in case people do want to see what radius attributes are downloaded and applied to a session. There are a mapping table between internal AAA attributes and radius attributes but it s an Cisco internal link and not accessible to people out off cisco. Fortunately, most of the AAA attributes name are self- explaining and identical to the name its RADUS AVPair counterpart show downloaded RADIUS attribute Following is the show command to display the radius attributes downloaded from radius server during in access- accept. RP/0/RSP0/CPU0:Roy_BNG_1#show subscriber session filter username PPP2@S99 detail internal Thu Jul 17 00:50: UTC Interface: Bundle- Ether pppoe7 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Thu Jul 17 00:39: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {PPP} IPv4 Up requestors: 0x {PPP} IPv6 State: Down, Thu Jul 17 00:39: Mac Address: a857.4e06.4f47 Account- Session Id: Nas- Port: User name: PPP2@S99 Outer VLAN ID: 101 Inner VLAN ID: 99 Subscriber Label: 0x Created: Thu Jul 17 00:39: State: Activated Authentication: authenticated Authorization: unauthorized Ifhandle: 0x Session History ID: 1 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Thu Jul 17 00:39: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 19 of 237

20 10 activate dynamic- template S99_DT_LCP [cerr: No error][aaa: Success] event Session- Activate match- first [at Thu Jul 17 00:39: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 authenticate aaa list S99_AAA_list [cerr: No error][aaa: Success] 20 activate dynamic- template S99_DT_PTA_MIN [cerr: No error][aaa: Success] Session Accounting: Acct- Session- Id: Method- list: S99_AAA_list Accounting started: Thu Jul 17 00:39: Interim accounting: On, interval 10 mins Last successful update: Thu Jul 17 00:49: Next update in: 00:08:17 (dhms) Last update sent: Thu Jul 17 00:49: Updates sent: 1 Updates accepted: 1 Updates rejected: 0 Update send failures: 0 Last COA request received: unavailable User Profile received from AAA: Attribute List: 0x500f9f68 1: ipv4- unnumbered len= 12 value= Loopback1099 2: addr- pool len= 14 value= S99_POOL_PPPV4 3: accounting- list len= 12 value= S99_AAA_list 4: acct- interval len= 4 value= 600(258) 5: primary- dns len= 4 value= : secondary- dns len= 4 value= : session- timeout len= 4 value= 3600(e10) 8: route len= 30 value= : sub- qos- policy- in len= 20 value= S99_IN_POLICING_256K 10: sub- qos- policy- out len= 21 value= S99_OUT_POLICING_512K 11: outacl len= 11 value= S99_ACL_out 12: inacl len= 10 value= S99_ACL_in 13: addr len= 4 value= Services: Name : S99_DT_LCP Service- ID : 0x400003e Type : Template Status : Applied Name : S99_DT_PTA_MIN Service- ID : 0x400005a Type : Template Status : Applied [Last IPv6 down] Disconnect Reason: Disconnect Cause: AAA_DISC_CAUSE_DEFAULT (0) Abort Cause: AAA_AV_ABORT_CAUSE_NO_REASON (0) Terminate Cause: AAA_AV_TERMINATE_CAUSE_NONE (0) Disconnect called by: [iedge internal] [Event History] Jul 17 00:39: SUBDB produce done [many] Jul 17 00:39: IPv4 Up Comparing to following log message from radius server, you will Pind - Above show command give attribute list with the AAA attribute name rather than radius attribute name. 20 of 237

21 - For radius attribute cisco AVpair, the AAA attribute name is identical to the AVpair name, but for IETF standard radius attributes, the RADIUS AAA attribute name is different, but not difpicult to guess what is what. Sending Access- Accept of id 34 to port Cisco- AVPair = "ipv4- unnumbered=loopback1099" Cisco- AVPair += "addr- pool=s99_pool_pppv4" Cisco- AVPair += "accounnng- list=s99_aaa_list" Acct- Interim- Interval += 600 Cisco- AVPair += "primary- dns= " Cisco- AVPair += "secondary- dns= " Session- Timeout += 3600 Framed- Route += " " Cisco- AVPair += "sub- qos- policy- in=s99_in_policing_256k" Cisco- AVPair += "sub- qos- policy- out=s99_out_policing_512k" Cisco- AVPair += "outacl=s99_acl_out" Cisco- AVPair += "inacl=s99_acl_in" Framed- IP- Address += debug command to display radius attributes debug radius ( could run with Pilter like debug radius Pilter mac- address )CLI directly gives the name of the radius attributes and it s content, but there is a bug CSCuh48079 causing some of the cisco AV- pair could not be decoded correctly, and it will be Pixed in and release. RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Send Access- Request to :1812 id 39, len 243 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: authenticator C6 01 CA 67 E1 2B - E3 88 9C BA 89 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Vendor- Specific [26] 41 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: NAS- Port [5] RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: NAS- Port- Id [87] 16 0/0/101/ RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Vendor- Specific [26] 22 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: User- Name [1] 10 PPP2@S99 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Service- Type [6] 6 Framed[0] RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: User- Password [2] 18 * RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: Unsuppoted attribute. RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Vendor- Specific [26] 33 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Framed- Protocol [7] 6 PPP[0] RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: NAS- Port- Type [61] 6 Virtual PPPoEoQinQ[0] RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Called- Station- Id [30] 4 99 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Calling- Station- Id [31] 16 a857.4e06.4f47 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Event- Timestamp [55] RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Nas- Identifier [32] 11 Roy_BNG_1 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: NAS- IP- Address [4] RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: Updating last used server RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Acct- Session- Id [44] RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: Using global deadtime = 0 sec RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: Start timer thread rad_ident 39 remote_port 1812 remote_addr 0xac1258dd, socket rctx 0x500f of 237

22 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: Successfully sent packet and started timeout handler for rctx 0x500f7848 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: Got global deadtime 0 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: rctx found is 0x500f7848 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: Radius packet decryption complete with rc = 0 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: authenticator F0 FF 82 CD BC FD 8E F 8C 9D RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Vendor- Specific [26] 36 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Vendor- Specific [26] 32 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Vendor- Specific [26] 36 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Received from id :1812, Access- Accept, len 389 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Acct- Interim- Interval[85] RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Vendor- Specific [26] 29 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Vendor- Specific [26] 31 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Session- Timeout [27] RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Vendor- Specific [26] 46 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Framed- Route [22] RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Vendor- Specific [26] 26 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Vendor- Specific [26] 24 RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Class [25] 11 S99_PPPOE RP/0/RSP0/CPU0:Jul 17 01:05: : radiusd[1117]: RADIUS: Framed- IP- Address [8] debug command to display internal AAA attributes Another debug command debug aaa- sub all display the information of AAA attributes related to the session, see following example for the same session. RP/0/RSP0/CPU0:Roy_BNG_1#RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] nas- port- type not configured on interface. RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] Nas- Port format selected : PPPPPPPPVVVVVVVVVVVVVVVVUUUUUUUU. RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] adding formatted nas- port : RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] adding formatted nas- port- id : 0/0/101/ RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa radius attribute format FORMAT_CALLED_STATION_ID RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] format FORMAT_CALLED_STATION_ID found in data base RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] formatted string 99,length = 2 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa radius attribute format FORMAT_CALLING_STATION_ID RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] format FORMAT_CALLING_STATION_ID found in data base RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_alloc:allocated aaa base req structure 50baa4d8, 50d2b9a8 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_request_init: Setting the req param for req type RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_set_context: Setting the context structure for the aaa req RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_set_callback: Setting the callback function for the req RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_add_attr_list: Setting the attribute list for the req RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] Attribute List - - 1: if- handle len= (15a0) 2: client- mac- address len= 14 a857.4e06.4f47 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_api: AAA Base Server Pulse handler- Received 0 msg type RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: FSM State: INIT Event:0 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Added req in hash table id 43 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_send: Sending the req request from Client to Server RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Method List: 0 Server Group Name: S99_GRP1 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Method List: 1 Server Group Name: S99_GRP2 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Method List: 2 Server Group Name: 22 of 237

23 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Method List: 3 Server Group Name: RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: broadcast is NOTSET RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Named server group is selected RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: First Server group selected S99_GRP1 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] Attribute List: 0x50d2bdc8 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Method List S99_AAA_list RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 1: if- handle len= (15a0) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 3: string- session- id len= RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 4: nas- port len= ( ) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 5: interface len= 14 0/0/101/ RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 6: username len= 8 PPP2@S99 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 7: protocol- type len= 4 ppp RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 8: service- type len= 4 Framed RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 9: authen- type len= 4 svc<0> prot<0> tag<0> mand<1> client<0x0>pap RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 10: password len= 5 svc<0> prot<0> tag<0> mand<1> client<0x0><opaque value> RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 11: connect- progress len= 4 LCP Open RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 12: Framed- Protocol len= 4 PPP RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 13: parent- if- handle len= (1260) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 14: port- type len= 4 Virtual PPPoE over QinQ RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 15: dnis len= 2 99 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 16: formatted- clid len= 14 a857.4e06.4f47 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 17: Event- Timestamp len= (53c72332) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 18: inner- vlan- id len= 4 99(63) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 19: outer- vlan- id len= 4 101(65) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_marshall_aaa_base_req_request_parameters: Marshalling req Message type 0 Application id 0 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 2: client- mac- address len= 14 a857.4e06.4f47 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_send: sent msg ipc_send passed buf_len: 368 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_alloc:allocated aaa base req structure 5013a898, 5013add8 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] Attribute List: 0x5013b1ac RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 1: if- handle len= (15a0) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 2: client- mac- address len= 14 a857.4e06.4f47 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 3: string- session- id len= RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 4: nas- port len= ( ) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 5: interface len= 14 0/0/101/ RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 6: username len= 8 PPP2@S99 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 7: protocol- type len= 4 ppp RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 8: service- type len= 4 Framed RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_handle_aaa_base_msg: Received IPC message Type 0 App type 0 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 10: password len= 5 svc<0> prot<0> tag<0> mand<1> client<0x0><opaque value> RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 11: connect- progress len= 4 LCP Open RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 12: Framed- Protocol len= 4 PPP RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 13: parent- if- handle len= (1260) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 14: port- type len= 4 Virtual PPPoE over QinQ RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 15: dnis len= 2 99 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 16: formatted- clid len= 14 a857.4e06.4f47 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 17: Event- Timestamp len= (53c72332) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 18: inner- vlan- id len= 4 99(63) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 19: outer- vlan- id len= 4 101(65) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: FSM State: INIT Event:3 23 of 237

24 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:aaa Base Client Handler... RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:calling client call back function RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_handle_aaa_msg: Invoking call back function for app type 0 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 9: authen- type len= 4 svc<0> prot<0> tag<0> mand<1> client<0x0>pap RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_get_server_group_name: Server group name: S99_GRP1 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_add_attr_list: Setting the attribute list for the req RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:client] Attribute List - - 1: ipv4- unnumbered len= 12 svc<0> prot<0> tag<0> mand<1> client<0x0>loopback1099 2: RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_api: AAA Base Server Pulse handler- Received 1 msg type RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_authen_received: FSM State: AUTHEN RECEIVED Event:6 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] Attribute List: 0x5013b1ac RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 1: ipv4- unnumbered len= 12 svc<0> prot<0> tag<0> mand<1> client<0x0>loopback1099 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 2: addr- pool len= 14 svc<0> prot<0> tag<0> mand<1> client<0x0>s99_pool_pppv4 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 3: accounting- list len= 12 svc<0> prot<0> tag<0> mand<1> client<0x0>s99_aaa_list RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 4: acct- interval len= 4 svc<0> prot<0> tag<0> mand<0> client<0x0>600(258) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 5: primary- dns len= 4 svc<0> prot<0> tag<0> mand<1> client<0x0> RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 6: secondary- dns len= 4 svc<0> prot<0> tag<0> mand<1> client<0x0> RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 7: session- timeout len= 4 svc<0> prot<0> tag<0> mand<0> client<0x0>3600(e10) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 8: route len= 30 svc<0> prot<0> tag<0> mand<0> client<0x0> RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 9: sub- qos- policy- in len= 20 svc<0> prot<0> tag<0> mand<1> client<0x0>s99_in_policing_256k RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 10: sub- qos- policy- out len= 21 svc<0> prot<0> tag<0> mand<1> client<0x0>s99_out_policing_512k RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 11: outacl len= 11 svc<0> prot<0> tag<0> mand<1> client<0x0>s99_acl_out RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 12: inacl len= 10 svc<0> prot<0> tag<0> mand<1> client<0x0>s99_acl_in RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 13: class len= 9 svc<0> prot<0> tag<0> mand<0> client<0x0> f f 45 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 14: addr len= 4 svc<0> prot<0> tag<0> mand<0> client<0x0> RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 15: Authentic len= 4 svc<0> prot<0> tag<0> mand<1> client<0x0>radius RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_send: sent msg ipc_send passed buf_len: 448 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_free: Freeing the aaa base req structure 5013a898, 5013add8 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_handle_protocol_base_msg: Received IPC message Type 1 App type 0 id 43 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_authen_sent: FSM State: AUTHEN SENT Event:9 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_authen_sent: Received PASS status from radius RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:aaa Base Client Handler... RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:calling client call back function RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_free: Freeing the aaa base req structure 50baa4d8, 50d2b9a8 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_client_handler client context: ec94e9dc RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_client_handler: IPC_NOTIFY_SENDSTATUS ipc_release_buffer success msg_len= 368 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_alloc:allocated aaa base req structure 50d2b9a8, 50baa4d8 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_request_init: Setting the req param for req type RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_set_context: Setting the context structure for the aaa req RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_set_callback: Setting the callback function for the req RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_add_attr_list: Setting the attribute list for the req RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] Attribute List - - 1: acct- interval len= 4 svc<0> prot<0> tag<0> mand<1> client<0x0>600(258) 2: Acc RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_send: Sending the req request from Client to Server RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_api: AAA Base Server Pulse handler- Received 4 msg type 24 of 237

25 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: FSM State: INIT Event:2 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Added req in hash table id 44 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Method List S99_AAA_list RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Method List: 0 Server Group Name: S99_GRP1 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Method List: 1 Server Group Name: S99_GRP2 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Method List: 2 Server Group Name: RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Method List: 3 Server Group Name: RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: broadcast is NOTSET RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Named server group is selected RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: First Server group selected S99_GRP1 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] Attribute List: 0x50baa62c RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 1: acct- interval len= 4 svc<0> prot<0> tag<0> mand<1> client<0x0>600(258) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 2: Acct- Status- Type len= 4 Start RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 3: Event- Timestamp len= 4 svc<0> prot<0> tag<0> mand<1> client<0x0> (53c72333) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 4: parent- if- handle len= (1260) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 5: port- type len= 4 Virtual PPPoE over QinQ RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 6: outer- vlan- id len= 4 101(65) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 7: inner- vlan- id len= 4 99(63) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 8: protocol- type len= 4 ppp RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 9: if- handle len= (15a0) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 10: client- mac- address len= 14 a857.4e06.4f47 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 11: string- session- id len= RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 12: nas- port len= ( ) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 13: interface len= 14 0/0/101/ RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 14: dnis len= 2 99 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 15: formatted- clid len= 14 a857.4e06.4f47 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 16: username len= 8 PPP2@S99 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 17: addr len= RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 18: Authentic len= 4 RADIUS RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 19: class len= f f 45 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 20: vrf- id len= ( ) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 21: route len= RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 22: ipv4- session- state len= 1 true RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 23: physical- subslot len= 4 0(0) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 24: physical- adapter len= 4 0(0) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 25: physical- slot len= 4 0(0) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 26: physical- chassis len= 4 0(0) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 27: physical- port len= 4 101(65) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 28: pppoe- session- id len= 4 9(9) RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 29: Framed- Protocol len= 4 PPP RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 30: service- type len= 4 Framed RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 31: connect- progress len= 4 IPCP Open RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 32: password len= 5 <opaque value> RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] 33: accounting- type len= 4 subscriber RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_marshall_aaa_base_req_request_parameters: Marshalling req Message type 4 Application id 0 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_send: sent msg ipc_send passed buf_len: 575 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_handle_aaa_base_msg: Received IPC message Type 4 App type 0 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_alloc:allocated aaa base req structure 5013a898, 5013add8 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] Attribute List: 0x5013b1ac RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 1: acct- interval len= 4 svc<0> prot<0> tag<0> mand<1> client<0x0>600(258) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 2: Acct- Status- Type len= 4 Start RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 3: Event- Timestamp len= 4 svc<0> prot<0> tag<0> mand<1> client<0x0> (53c72333) 25 of 237

26 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 4: parent- if- handle len= (1260) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 5: port- type len= 4 Virtual PPPoE over QinQ RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 6: outer- vlan- id len= 4 101(65) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 7: inner- vlan- id len= 4 99(63) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 8: protocol- type len= 4 ppp RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 9: if- handle len= (15a0) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 10: client- mac- address len= 14 a857.4e06.4f47 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 11: string- session- id len= RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 12: nas- port len= ( ) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 13: interface len= 14 0/0/101/ RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 14: dnis len= 2 99 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 15: formatted- clid len= 14 a857.4e06.4f47 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 16: username len= 8 PPP2@S99 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 17: addr len= RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 18: Authentic len= 4 RADIUS RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 19: class len= f f 45 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 20: vrf- id len= ( ) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 21: route len= RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 22: ipv4- session- state len= 1 true RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 23: physical- subslot len= 4 0(0) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 24: physical- adapter len= 4 0(0) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 25: physical- slot len= 4 0(0) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 26: physical- chassis len= 4 0(0) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 27: physical- port len= 4 101(65) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 28: pppoe- session- id len= 4 9(9) RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 29: Framed- Protocol len= 4 PPP RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 30: service- type len= 4 Framed RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 31: connect- progress len= 4 IPCP Open RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 32: password len= 5 <opaque value> RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] 33: accounting- type len= 4 subscriber RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: FSM State: INIT Event:5 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:aaa Base Client Handler... RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:calling client call back function RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_handle_aaa_msg: Invoking call back function for app type 0 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_get_server_group_name: Server group name: S99_GRP1 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_client_handler client context: ec94e9dc RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_client_handler: IPC_NOTIFY_SENDSTATUS ipc_release_buffer success msg_len= 448 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_add_attr_list: Setting the attribute list for the req RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:client] Attribute List - - RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_api: AAA Base Server Pulse handler- Received 5 msg type RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_acct_received: FSM State: ACCT RECEIVED Event:8 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] Attribute List: 0x5013b1ac RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_send: sent msg ipc_send passed buf_len: 37 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_free: Freeing the aaa base req structure 5013a898, 5013add8 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_handle_protocol_base_msg: Received IPC message Type 5 App type 0 id 44 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_acct_sent: FSM State: ACCT SENT Event:11 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:aaa Base Client Handler... RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_acct_sent: Received PASS status from radius 26 of 237

27 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:client] aaa_base_req_free: Freeing the aaa base req structure 50d2b9a8, 50baa4d8 RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:calling client call back function RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_client_handler client context: ec94e9dc RP/0/RSP0/CPU0:Jul 17 01:13: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_client_handler: IPC_NOTIFY_SENDSTATUS ipc_release_buffer success msg_len= 575 RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_client_handler client context: ec94e9dc RP/0/RSP0/CPU0:Jul 17 01:13: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_client_handler: IPC_NOTIFY_SENDSTATUS ipc_release_buffer success msg_len= SADB - Subscriber Attribute Database Subscriber Identity and Credential AAA Attributes from different components are stored in this Database. SADB does not save the subscriber conpiguration. show session information can give most of the AAA attributes information RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber manager sadb Thu Jul 17 00:39: UTC Sublabel: 0x Node_ID: Signature: 0xabcdef12 Version: 1 Rev: 17 Length: 383 Attribute list: : parent- if- handle len= (1260) 2: port- type len= 4 Virtual PPPoE over QinQ 3: outer- vlan- id len= 4 101(65) 4: inner- vlan- id len= 4 99(63) 5: protocol- type len= 4 ppp 6: if- handle len= (1520) 7: client- mac- address len= 14 a857.4e06.4f47 8: string- session- id len= : nas- port len= ( ) 10: interface len= 14 0/0/101/ : dnis len= : formatted- clid len= 14 a857.4e06.4f47 13: username len= 8 PPP2@S99 14: addr len= : Authentic len= 4 RADIUS 16: class len= f f 45 17: vrf- id len= ( ) 18: route len= : ipv4- session- state len= 1 true 20: accounting- list len= 12 S99_AAA_list 21: start_time len= 4 27 of 237

28 2.3.SUBDB - Subscriber Database and session config handling session config from multiple sources including radius server There is another database called Subscriber Database(SUBDB) to store the conpig and the association of conpig to session. The unit of conpig object applied to a session is attribute, which could come from following Pive types of TEMPLATE. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber database association type? ipsubscriber IP Subscriber Interface dynamic template type ppp PPP Interface dynamic template type service-profile Service Profile dynamic template type subscriber-service Subscriber Service dynamic template type user-profile User Profile dynamic template type There are different way to handle the conpig attributes from different type of template. Further more, when same attributes are applied to a session from more than one templates, preference ordering is needed. template type user-profile ipsubscriber ppp subscriberservice serviceprofile 28 of 237

29 where to define the template with its attributes BNG BNG BNG radius server radius server example of the config dynamic-template type ipsubscriber UNNUMBER ipv4 unnumbered Loopback500 dynamic-template type ppp S99_DT_PTA_MIN ppp ipcp peeraddress pool S99_POOL_PPPV 4 ipv4 unnumbered Loopback1099 dynamic-template type service S99_SERVICE_2 service-policy input S99_IN_POLICING _1M service-policy output S99_OUT_SHAPI NG_9M_H ipv4 access-group S99_ACL_in_2 ingress ipv4 access-group S99_ACL_out_2 egress PPP6@S99 Cleartext- Password := "cisco" Cisco-avpair = "ipv4- unnumbered=loop back1199", Cisco-avpair += "addrpool=s99_pool_ PPPV4_VRF", Cisco-avpair += "subscriber:sa=s99 _SERVICE_2", Cisco-avpair += "vrfid=s99_vrf" DOWNLOADING_ SERVICE_1 Cleartext- Password := "cisco" Cisco-AVPair += "sub-qos-policyin=s99_in_polici NG_256K", Cisco-AVPair += "sub-qos-policyout=s99_out_po LICING_512K" activate/ deactive in control policy (CLI) activate/ deactive by attribute downloaded in accessaccepted supported supported supported not supported supported supported supported not supported supported supported (5.2.0), SA=SERVIC E_NAME and methodlist=<mlist> activate/ deactive by COA supported, SA=SERVIC E_NAME supported, SA=SERVIC E_NAME supported, SA=SERVIC E_NAME not supported supported, SA=SERVIC E_NAME and methodlist=<mlist> seviceupdate via COA not supported not supported not supported not supported supported attributes individually pull/push from radius server/coa not supported not supported not supported supported not supported preference lowest lowest low highest medium 29 of 237

30 Please be noted that Dynamic- template type service will take precedence over type ipsubscriber/ppp. sh subscriber database association <> will give the order it which it is done. dynamic- template- type ppp, type ipsub are equal to each other in terms of preference Example of multi-source session config Following example shows how the conpig attributes from different source are applied to a session in different ways. Con?ig on ASR9K BNG interface Bundle-Ether description PPPoEv4 access-interface for student_99 service-policy type control subscriber S99_CP_PTA_SERVICE_DOWNLOAD pppoe enable encapsulation dot1q 101 second-dot1q 99 ethernet-services access-group S99_PPPoE_ONLY ingress policy-map type control subscriber S99_CP_PTA_SERVICE_DOWNLOAD event session-start match-first class type control subscriber S99_PTA do-until-failure 10 activate dynamic-template S99_DT_LCP event session-activate match-first class type control subscriber S99_PTA do-until-failure 10 authenticate aaa list S99_AAA_list downloading user-profile in this step 20 activate dynamic-template DOWNLOADING_SERVICE_1 aaa list S99_AAA_list service authorization to get the definition of service-profile in this step 30 activate dynamic-template S99_DT_PTA_MIN activate local defined dynamic-template in this step aaa authorization subscriber S99_AAA_list group S99_GRP1 group S99_GRP2 dynamic-template type ppp S99_DT_PTA_MIN ppp ipcp peer-address pool S99_POOL_PPPV4 ipv4 unnumbered Loopback of 237

31 type ppp S99_DT_LCP ppp authentication pap chap type service S99_SERVICE_2 service-policy input S99_IN_POLICING_1M service-policy output S99_OUT_SHAPING_9M_H ipv4 access-group S99_ACL_in_2 ingress ipv4 access-group S99_ACL_out_2 egress please be noted there is no definition of service DOWNLOADING_SERVICE_1 as a dynamic-template, it s defined as a service-profile in radius server Con?ig on radius server ###user-profile defined in radius server### PPP6@S99 Cleartext-Password := "cisco" Cisco-avpair = "ipv4-unnumbered=loopback1199", Cisco-avpair += "addr-pool=s99_pool_pppv4_vrf", Cisco-avpair += "subscriber:sa=s99_service_2", Cisco-avpair += vrf-id=s99_vrf" ###service profile defined in radius server## DOWNLOADING_SERVICE_1 Cleartext-Password := "cisco" Cisco-AVPair += "sub-qos-policy-in=s99_in_policing_256k", Cisco-AVPair += sub-qos-policy-out=s99_out_policing_512k please be noted that the attributes defined in the user-profile and service-profile conflict to some of the attributes defined in the local dynamic-template. the result will show you how an attribute from a source with higher preference overrides those from a source with lower preference. Log on Radius server rad_recv: Access- Request packet from host port 34305, id=180, leng th=243 Cisco- AVPair = "client- mac- address=a857.4e06.4f47" Acct- Session- Id = "000005f0" NAS- Port = NAS- Port- Id = "0/0/101/99.101" Cisco- NAS- Port = "0/0/101/99.101" User- Name = "PPP6@S99" Service- Type = Framed- User User- Password = "cisco" X- Ascend- Connect- Progress = LCP- Opened Cisco- AVPair = "connect- progress=lcp Open" Framed- Protocol = PPP NAS- Port- Type = of 237

32 Called- Station- Id = "99" Calling- Station- Id = "a857.4e06.4f47" Event- Timestamp = NAS- Identifier = "Roy_BNG_1" NAS- IP- Address = Sending Access- Accept of id 180 to port Cisco- AVPair = "ipv4- unnumbered=loopback1199" Cisco- AVPair += "addr- pool=s99_pool_pppv4_vrf" Cisco- AVPair += "subscriber:sa=s99_service_2" Cisco- AVPair += "vrf- id=s99_vrf" Mon May 05 11:23: : Info: Finished request 0. rad_recv: Access- Request packet from host port 34305, id=181, leng th=84 User- Name = "DOWNLOADING_SERVICE_1" User- Password = "cisco" Service- Type = Outbound- User NAS- Identifier = "Roy_BNG_1" NAS- IP- Address = Sending Access- Accept of id 181 to port Cisco- AVPair += "sub- qos- policy- in=s99_in_policing_256k" Cisco- AVPair += sub- qos- policy- out=s99_out_policing_512k" RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all detail internal Mon May 5 11:22: UTC Interface: Bundle- Ether pppoe1520 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Mon May 5 11:22: IPv4 Address: , VRF: S99_VRF pool and VRF- id downloaded as part of user- profile overrides those defined locally in dynamic- template type ppp S99_DT_PTA_MIN IPv4 Up helpers: 0x {PPP} IPv4 Up requestors: 0x {PPP} IPv6 State: Down, Mon May 5 11:21: Mac Address: a857.4e06.4f47 Account- Session Id: f0 Nas- Port: User name: PPP6@S99 Outer VLAN ID: 101 Inner VLAN ID: 99 Subscriber Label: 0x Created: Mon May 5 11:21: State: Activated Authentication: authenticated Authorization: unauthorized Ifhandle: 0x0000a660 Session History ID: 15 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Mon May 5 11:21: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_LCP [cerr: No error][aaa: Success] 32 of 237

33 event Session- Activate match- first [at Mon May 5 11:22: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 authenticate aaa list S99_AAA_list [cerr: No error][aaa: Success] 20 activate dynamic- template DOWNLOADING_SERVICE_1 aaa list S99_AAA_list [cerr: No error][aaa: Success] 30 activate dynamic- template S99_DT_PTA_MIN [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA: Attribute List: 0x500f9ff0 1: ipv4- unnumbered len= 12 value= Loopback1199 2: addr- pool len= 18 value= S99_POOL_PPPV4_VRF 3: ip- vrf len= 7 value= S99_VRF Services: Name : S99_DT_LCP Service- ID : 0x400003b Type : Template Status : Applied Name : S99_SERVICE_2 Service- ID : 0x400002a Type : Multi Template Status : Applied Name : DOWNLOADING_SERVICE_1 Service- ID : 0x Type : Profile Status : Applied Name : S99_DT_PTA_MIN Service- ID : 0x Type : Template Status : Applied [Last IPv6 down] Disconnect Reason: Disconnect Cause: AAA_DISC_CAUSE_DEFAULT (0) Abort Cause: AAA_AV_ABORT_CAUSE_NO_REASON (0) Terminate Cause: AAA_AV_TERMINATE_CAUSE_NONE (0) Disconnect called by: [iedge internal] [Event History] May 5 11:22: SUBDB produce done [many] May 5 11:22: IPv4 Up RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber manager sadb Mon May 5 11:28: UTC Sublabel: 0x Node_ID: Signature: 0xabcdef12 Version: 1 Rev: 13 Length: 300 Attribute list: : parent- if- handle len= (1160) 2: port- type len= 4 Virtual PPPoE over QinQ 3: outer- vlan- id len= 4 101(65) 4: inner- vlan- id len= 4 99(63) 5: protocol- type len= 4 ppp 6: if- handle len= (a660) 7: client- mac- address len= 14 a857.4e06.4f47 33 of 237

34 8: string- session- id len= f0 9: nas- port len= (650065f0) 10: interface len= 14 0/0/101/ : dnis len= : formatted- clid len= 14 a857.4e06.4f47 13: username len= 8 PPP6@S99 14: vrf- id len= ( ) 15: ip- vrf len= 7 S99_VRF 16: Authentic len= 4 RADIUS 17: addr len= : ipv4- session- state len= 1 true RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber database association Mon May 5 11:28: UTC Location 0/RSP0/CPU0 Bundle- Ether pppoe1520, subscriber label 0x69 Name Template Type U User profile DOWNLOADING_SERVICE_1:S99_AAA_listService profile S99_SERVICE_2 Service S99_DT_PTA_MIN PPP S99_DT_LCP PPP #### QoS defined in the service- profile take effect overriding the one defined in the dynamic- template type service S99_SERVICE_2 ###### RP/0/RSP0/CPU0:Roy_BNG_1#sh policy- map applied interface Bundle- Ether pppoe1520 Mon May 5 11:38: UTC Input policy- map applied to Bundle- Ether pppoe1520: policy- map S99_IN_POLICING_256K class class- default police rate 256 kbps Output policy- map applied to Bundle- Ether pppoe1520: policy- map S99_OUT_POLICING_512K class class- default police rate 512 kbps ###ACL defined in the dynamic- template type service S99_SERVICE_2 takes effect since it s the only source with ACL defined#### RP/0/RSP0/CPU0:Roy_BNG_1#sh access- lists ipv4 interface Bundle- Ether pppoe1520 Mon May 5 11:40: UTC Input ACL (common): N/A (interface): S99_ACL_in_2 Output ACL: S99_ACL_out_2 34 of 237

35 ###following CLI give you the derived config applied to a session after the preference calculation ( some of the attribuet from user- profile and service- profile are not displayed correctly, bug will be fixed in release) ### RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber running- config Thu Jul 17 01:54: UTC Subscriber Label: 0x4a dynamic- template type ppp S99_DT_LCP ipv4 mtu 700 % No such configuration item(s) dynamic- template type service S99_SERVICE_2 ipv4 access- group S99_ACL_in_2 ingress dynamic- template type service S99_SERVICE_2 ipv4 access- group S99_ACL_out_2 egress % No such configuration item(s) dynamic- template type ppp S99_DT_LCP ppp ipcp mask dynamic- template type ppp S99_DT_LCP ppp authentication pap chap dynamic- template type ppp S99_DT_LCP ppp mru ignore - - More- - % No such configuration item(s) % No such configuration item(s) % No such configuration item(s) RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber database configuration name DOWNLOADING_SERVICE_1:S99_AAA_list Thu Jul 17 02:01: UTC Subscriber configuration database object 'DOWNLOADING_SERVICE_1:S99_AAA_list' on node 0/RSP0/CPU0 Template: Type: DOWNLOADING_SERVICE_1:S99_AAA_list Service profile 35 of 237

36 Feature: QoS Attribute: qos/service/sub_sp_in SysDB pathname: /cfg/gl/dynamic- templates/service- profile/ DOWNLOADING_SERVICE_1:S99_AAA_list/qos/service/sub_sp_in Datatype: packed Value: : AB CD :..C...S : 39 5F 49 4E 5F 50 4F 4C E 47 5F : 9_IN_POLICING_ : 36 4B : 6K : 00 :. Attribute: qos/service/sub_sp_out SysDB pathname: /cfg/gl/dynamic- templates/service- profile/ DOWNLOADING_SERVICE_1:S99_AAA_list/qos/service/sub_sp_out Datatype: packed Value: : AB CD :..C...S : 39 5F 4F F 50 4F 4C E 47 5F 35 : 9_OUT_POLICING_ : B : 12K : :.. Config DB entry size: 354 bytes 3. Chapter 3, Authentication and Authorization 3.1. Terminology and fact In IOS XR, both authentication and authorization refer to the action of sending a access- request message to the RADIUS server and expecting a access- accept or access- reject with or without some attributes included. What s the difference between authentication and authorization? Authentication 36 of 237

37 The term and CLI key word Authentication is applicable to the case where the user credentials is extracted from a protocol and send to the RADIUS server without any modipication. Following are some scenarios a authentication is supposed to be used. - PPPOE PTA SESSION Username/password from PAP/CHAP in a PPP LCP negotiation. - WEB-LOGON FOR BOTH PPPOE AND IPOE SESSION Username/password are inputed by a subscriber on a portal, and received by the BNG from a COA request. Please be noted current implementation on ASR9K BNG do not allow modipication to the username and password before sending it to the radius server for authentication. If the modipication of username is needed, the only way is using key word authorization Authorization The term and CLI key word authorization is applicable to the case that the user credential is extracted from other source, such as the line information known to BNG naturally, or the case that the user credential is extract from a information carried to BNG by protocol such as DHCP/PPPoE. In later case, it s possible for the credential to be modipied before sending to the RADIUS server. - TRANSPARENT AUTO-LOGON Username is built by the information belong to a subscriber such as MAC, circuit ID, remote ID, option 60 etc. for TAL(transparent auto logon). In this case a common password is supposed to be conpigured in the BNG in the control policy and works for all of the sessions subjected to that control policy. - LAC AUTHORIZATION USING DOMAIN NAME 37 of 237

38 In this case, the LAC is supposed to send only the domain name part of the username which is learned from the PAP/CHAP to the Whole seller s RADIUS server to get the information needed to build a L2TP tunnel the LNS. Following are some conpig examples for session authentication/authorization usage in different use cases. >>>>PPPoE PTA authentication using PAP<<<< username/password input by subscriber user_1@domain.com/password username/password sent to radius (unchanged) user_1@domain.com/password policy-map type control subscriber PPPoE_PTA event session-start match-all class type control subscriber CLASS_PPPoE do-all 1 activate dynamic-template AUTH event session-activate match-all class type control subscriber CLASS_PPPoE do-until-failure 10 authenticate aaa list default 20 activate dynamic-template PPPoE end-policy-map >>>>PPPoE LAC authorization using domain name<<<< username/password input by subscriber user_1@domain.com/password username/password sent to LAC radius domain.com/cisco policy-map type control subscriber PPP_LAC event session-start match-all class type control subscriber CLASS_PPPoE do-all 1 activate dynamic-template AUTH event session-activate match-all class type control subscriber CLASS_PTA do-all 10 authorize aaa list DUAL_RADIUS format VPDN_DOMAIN password cisco 38 of 237

39 end-policy-map aaa attribute format VPDN_DOMAIN username-strip >>>>IPoE,TAL authorization on session- start, then do authentication for web logon when TAL fails<<<< on session- start username/password input by subscriber n/a on account- logon username/password sent to radius xxxx.xxxx.xxxx(source MAC)/cisco username/password input by subscriber user_1@domain.com/password username/password sent to radius (unchanged) user_1@domain.com/password policy-map type control subscriber IPoE_WLAN event session-start match-first class type control subscriber IP do-until-failure 10 activate dynamic-template UNAUTH_TPL 20 authorize aaa list IPoE_WLAN format USERNAME password cisco event authorization-failure match-first class type control subscriber IP do-until-failure 10 activate dynamic-template HTTPRDRT_TPL 20 set-timer UNAUTH_TMR 3 event account-logon match-first class type control subscriber IP do-until-failure 10 authenticate aaa list IPoE_WLAN 20 deactivate dynamic-template HTTPRDRT_TPL event timer-expiry match-first class type control subscriber UNAUTH_TMR_CM do-until-failure 10 disconnect end-policy-map aaa attribute format USERNAME format-string length 253 "%s" client-mac-address-ietf 39 of 237

40 - SERVICE AUTHORIZATION When you have a dynamic- template activated in a control policy but there is no content of that dynamic- template depined locally, an action of authorization could also be used to get the detail information of that service by sending access- request message to the radius server with the name of the service in the username with Pixed password cisco (seems no place to conpigure it), expecting the attribute associated to that service to be downloaded in an access- accept message. Following are a call Plow of a service authorization. Con?ig on ASR9K BNG policy-map type control subscriber S99_CP_PTA_SERVICE_DOWNLOAD event session-start match-first class type control subscriber S99_PTA do-until-failure 10 activate dynamic-template S99_DT_LCP event session-activate match-first class type control subscriber S99_PTA do-until-failure 10 authenticate aaa list S99_AAA_list 20 activate dynamic-template DOWNLOADING_SERVICE_1 aaa list S99_AAA_list 30 activate dynamic-template S99_DT_PTA_MIN aaa authorization subscriber S99_AAA_list group S99_GRP1 group S99_GRP2 Con?ig on radius server PPP6@S99 Cleartext-Password := "cisco" Cisco-avpair = "ipv4-unnumbered=loopback1199", Cisco-avpair += "addr-pool=s99_pool_pppv4_vrf", Cisco-avpair += "subscriber:sa=s99_service_2", Cisco-avpair += vrf-id=s99_vrf" DOWNLOADING_SERVICE_1 Cleartext-Password := "cisco" Cisco-AVPair = "sub-qos-policy-in=s99_in_policing_256k", Cisco-AVPair += sub-qos-policy-out=s99_out_policing_512k 40 of 237

41 Log on Radius server rad_recv: Access- Request packet from host port 34305, id=180, leng th=243 Cisco- AVPair = "client- mac- address=a857.4e06.4f47" Acct- Session- Id = "000005f0" NAS- Port = NAS- Port- Id = "0/0/101/99.101" Cisco- NAS- Port = "0/0/101/99.101" User- Name = "PPP6@S99" Service- Type = Framed- User User- Password = "cisco" X- Ascend- Connect- Progress = LCP- Opened Cisco- AVPair = "connect- progress=lcp Open" Framed- Protocol = PPP NAS- Port- Type = 37 Called- Station- Id = "99" Calling- Station- Id = "a857.4e06.4f47" Event- Timestamp = NAS- Identifier = "Roy_BNG_1" NAS- IP- Address = Sending Access- Accept of id 180 to port Cisco- AVPair = "ipv4- unnumbered=loopback1199" Cisco- AVPair += "addr- pool=s99_pool_pppv4_vrf" Cisco- AVPair += "subscriber:sa=s99_service_2" Cisco- AVPair += "vrf- id=s99_vrf" Mon May 05 11:23: : Info: Finished request 0. rad_recv: Access- Request packet from host port 34305, id=181, leng th=84 User- Name = "DOWNLOADING_SERVICE_1" User- Password = "cisco" Service- Type = Outbound- User NAS- Identifier = "Roy_BNG_1" NAS- IP- Address = Sending Access- Accept of id 181 to port Cisco- AVPair = "sub- qos- policy- in=s99_in_policing_256k" Cisco- AVPair += sub- qos- policy- out=s99_out_policing_512k" Please be noted that the authentication and authorization are not mandatory for the establishment of a session, you can have a session activated without depining any action of authentication/authorization in the control policy, this is Pine from ASR9K s perspective. But normally, you would like to conpigure an action explicitly to disconnect a session or apply some particular service to a session which failed to authenticate/authorise, such as HTTP redirect or limit the reachability/ 41 of 237

42 bandwidth of the subscriber for session management purpose. To achieve that, you need to depine the event of authentication- failure or authorisation- failure explicitly with actions beneath them. RP/0/RSP0/CPU0:ASR9K-42-BNG(config-pmap)#event? account-logoff Account logoff event account-logon Account logon event authentication-failure Authentication failure event authentication-no-response Authentication no response event authorization-failure Authorization failure event authorization-no-response Authorization no response event Authenticated and authorised state Following are the description in detail what happens when authentication/ authorization is conducted. - When there is an action of authenticate depined in the control policy and a access- accept received, the session will be marked as authenticated, the session will be alive and in activated state. - When there is an action of authenticate depined in the control policy and a access- reject received, the session will be torn down immediately, unless in the control policy there is an event of unauthenticate depined and make the BNG to take other actions to that session. In later case, the session will be marked as unauthenticated, but the session will be alive and in activated state. - When there is no action of authenticate depined in the control policy, a session could be established without communication with RADIUS server for authentication. The session will be marked as unauthenticated, but the session will be alive and in activated state. - The logic for authorization is quite the same to that for authentication. It worth a noting that before release, there is only the Plag for authentication in the BNG implementation, the missing of authorisation Plag 42 of 237

43 make it impossible to replect the state of authorisation and further processing based on the authorisation state. To improve that, ddts CSCue06943 was raised and Pixed from release. From release onward when you do show subscriber session all detail from the console, you can see both authentication Plag and authorisation Plag. Please be noted that they are independent Plag, replecting the state of authentication and authorisation respectively. Display for session authenticated(5.1.1) ====================================== RP/0/0/CPU0:server# show subscriber session all detail Interface: GigabitEthernet0/0/0/0.3.pppoe1 Circuit ID: circuit_id1 Remote ID: remote_id1 Type: PPPoE:PTA IPv4 State: Up, Tue Sep 10 14:27: IPv4 Address: , VRF: default Mac Address: 0219.a220.e809 Account- Session Id: Nas- Port: Unknown User name: Outer VLAN ID: 15 Subscriber Label: 0x Created: Tue Sep 10 14:27: State: Activated < session is live and OK Authentication: authenticated Authorization: unauthorized <- new in release Access- interface: GigabitEthernet0/0/0/0.3 Policy Executed: policy- map type control subscriber POLICY1 event Session- Start match- all [at Tue Sep 10 14:27: ] class type control subscriber PTA_CLASS do- all [Succeeded] 1 activate dynamic- template PPP_PTA_TEMPLATE [Succeeded] 3 activate dynamic- template ACCOUNT2 [Succeeded] event Session- Activate match- all [at Tue Sep 10 14:27: ] class type control subscriber PTA_CLASS do- all [Succeeded] 3 authenticate aaa list default [Succeeded] Display for session authorised(5.1.1) ====================================== RP/0/0/CPU0:one#show subsc sess all det Interface: GigabitEthernet0/2/0/1.2.ip1 Circuit ID: Unknown Remote ID: Unknown Type: IP: Packet- trigger IPv4 State: Up, Tue Sep 10 17:01: IPv4 Address: , VRF: default Mac Address: of 237

44 Account- Session Id: Nas- Port: Unknown User name: Outer VLAN ID: 2 Subscriber Label: 0x Created: Tue Sep 10 17:01: State: Activated Authentication: unauthenticated Authorization: authorized Access- interface: GigabitEthernet0/2/0/1.2 Policy Executed: policy- map type control subscriber PL2 event Session- Start match- first [at Tue Sep 10 17:01: ] class type control subscriber class- default do- all [Succeeded] 1 activate dynamic- template pkt- trig1 [Succeeded] 2 authorize aaa list default [Succeeded] Display for session without?lag of authorization(4.3.1) ====================================== RP/0/RSP0/CPU0:BNG_SandBox_Feature#sh subscriber sess all detail Tue Dec 18 11:57: PST Interface: Bundle- Ether102.7.pppoe89 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Tue Dec 18 11:57: IPv4 Address: , VRF: default Mac Address: 4284.c29e.0000 Account- Session Id: Nas- Port: User name: cisco Outer VLAN ID: 140 Inner VLAN ID: 1 Subscriber Label: 0x Created: Tue Dec 18 11:57: State: Activated Authentication: authenticated Access- interface: Bundle- Ether102.7 Policy Executed: policy- map type control subscriber BELL- 6 event Session- Start match- first [at Tue Dec 18 11:57: ] class type control subscriber PPP do- all [Succeeded] 10 activate dynamic- template PPP_CHAP_PAP [Succeeded] event Session- Activate match- first [at Tue Dec 18 11:57: ] class type control subscriber BELL_CANADA_DOMAIN do- until- failure [Failed] class type control subscriber BELL_CANADA_DOMAIN_NON do- until- failure [Failed] class type control subscriber PPP do- until- failure [Succeeded] 10 authenticate aaa list default [Succeeded] 20 activate dynamic- template PPP_BELL [Succeeded] Session Accounting: disabled Last COA request received: unavailable [Last IPv6 down] Disconnect Reason: 44 of 237

45 4. Chapter 4, Attributes in Access-Request - report session information 4.1.Manipulation of attributes - the principle - The attributes included in to access- accept message is decided by the code, no CLI is provided to specify what attributes should be included in a access- accept message. - The format and value of some of the attributes could be customized using a CLI. - it s allowed to use a attribute list to Pilter the attributes allowed to be sent. 4.2.IPoE session access-request A typical IPoE TAL access- request message including following attributes Note: the attribute type for cisco AVpair is always string, since the whole AVpair is a string, for example Cisco- AVPair: if- handle= , here the if- handle= is a string. Type Vendor A+ribute name A+ribute A+ribute Informa7on Note value value type filled 26,9,1 Cisco Cisco- AVPair client- mac- String MAC of the System address=value client generated 26,3561,1 ADSL forum Agent- Circuit- Id string 45 of 237

46 26,3561,2 ADSL forum Agent- Remote- Id string 26,9,1 Cisco Cisco- AVPair remote- id- tag=value 26,9,1 Cisco Cisco- AVPair circuit- id- tag=value String DHCP op7on 82 Remote- id String DHCP op7on 82 Circuit- id From DHCP packet or inserted on 9K by CLI From DHCP packet or inserted on 9K by CLI 26,9,1 Cisco Cisco- AVPair dhcp- vendor- class=value String DHCP op7on 60 IPoE only, extracted from DHCP discover 87 IETF NAS- Port- Id value String Slot/port/vlan etc, that the session coming from Customizable per system or per nas- port- type 26,9,2 Cisco Cisco- NAS- Port Cisco- NAS- String Slot/port/vlan The same value Port=value etc, that the to IETF Nas- Port- session coming ID from 1 IETF User- Name String Customizable format per control policy 6 IETF Service- Type integer Dialout- Framed- User(code 5) for IPoE 2 IETF User- Password Encrypted Configured password in control policy- map for IPoE TAL 44 IETF Acct- Session- Id String Unique ID for session System generated, not configurable Configurable per control policy system generated, format configurable per system 46 of 237

47 26,9,1 Cisco parent- if- handle String Internal number indica7ng, meaningless to radius server 61 IETF NAS- Port- Type integer Type of the access- interface Value customizable per access- interface 30 IETF Called- Sta7on- Id String By default it is Circuit- id Format customizable per system or per nas- port- type 31 IETF Calling- Sta7on- String By default it is Format Id Remote- id customizable per system or per nas- port- type 55 IETF Event- integer System Timestamp 32 IETF NAS- Iden7fier string Hostname configured in BNG generated System generated 4 IETF NAS- IP- Address ipv4addr Radius source interface System generated address configured in BNG, need to match the registered host address in RADIUS server 5 IETF NAS- Port integer physical port informa7on of the NAS which is Format customizable per system or per nas- port- type See appendix 1 for an example of access- request message for DHCP initiated IPoE session authen7ca7ng the user 47 of 237

48 4.3. PPPoE session access-reqeust A typical PPPoE access- request message including following attributes Red part is the difference comparing to IPoE access- request Type Vendor A+ribute name A+ribute A+ribute Informa7on Note value value type filled 26,9,1 Cisco Cisco- AVPair client- mac- String MAC of the system address=value client, in format generated of a857.4e06.4f4 7 26,3561,1 ADSL forum Agent- Circuit- Id string pppoe tag circuit- id present only when pppoe circuit- id exists 26,3561,2 ADSL Agent- Remote- string pppoe tag present only forum Id remote- id when pppoe remote- id exists 26,9,1 Cisco Cisco- AVPair remote- id- String pppoe tag present only tag=value circuit- id when pppoe circuit- id exists 26,9,1 Cisco Cisco- AVPair circuit- id- String pppoe tag present only tag=value remote- id when pppoe remote- id exists 26,9,1 Cisco Cisco- AVPair dhcp- vendor- class=value String DHCP op7on 60 IPoE only, extracted from DHCP discover 87 IETF NAS- Port- Id value String Slot/port/vlan etc, that the session coming from always included. Customizable per system or per nas- port- type 26,9,2 Cisco Cisco- NAS- Port Cisco- NAS- String Slot/port/vlan The same value Port=value etc, that the to IETF Nas- Port- session coming ID from 48 of 237

49 1 IETF User- Name String from ppp protocol 6 IETF Service- Type integer Framed- User (code 2) for PPPoE System generated, not configurable 2 IETF User- Password Encrypted from ppp protocol 44 IETF Acct- Session- Id String Unique ID for session system generated, format configurable per system 26,9,1 Cisco parent- if- handle String Internal number indica7ng, meaningless to radius server meaningless to RADIUS server, not present anymore from IETF NAS- Port- Type integer Type of the access- interface Value customizable per access- interface 30 IETF Called- Sta7on- String By default it is Format Id Circuit- id customizable per system or per nas- port- type 31 IETF Calling- Sta7on- String By default it is Format Id Remote- id customizable per system or per nas- port- type 55 IETF Event- integer System Timestamp 32 IETF NAS- Iden7fier string Hostname configured in BNG generated System generated 49 of 237

50 4 IETF NAS- IP- Address ipv4addr Radius source interface address configured in BNG, need to match the registered host address in RADIUS server 5 IETF NAS- Port integer physical port informa7on of the NAS which is authen7ca7ng the user System generated presence only with explicitly configura7on(aa a radius a+ribute nas- port format). Format customizable per system or per nas- port- type 196 Ascend X- Ascend- integer Indicates the h+p:// Connect- state of the docs.snake.de/ Progress connec7on TNT/7/radius/ before it a+rib.htm disconnects. For PPPoE access request this value is set to 65, LCP is in the Open state. 26,9,1 Cisco Cisco- AVPair connect- string For PPPoE progress=valu access request e this value is set to connect- progress=lcp Open 7 IETF Framed- integer Set to 1, code Protocol for PPP 3 IETF CHAP- Password c CHAP only 60 IETF CHAP- Challenge CHAP only 50 of 237

51 See appendix 2 for an example of access- request message for PPPoE PTA session. 4.4.Customising the attribute in access-request NAS-Port-Type By default, ASR9K populate the nas- port- type attribute based on the actual type and encapsulation conpiguration of a access- interface under which a session is created, detail information is in following table. Nas- port- type Values Example interface/ encapsulation Whether value can be derived from associated interface Whether value can be con?igured on the interface con?iguration mode ASYNC 0 No Yes SYNC 1 No Yes ISDN 2 No Yes ISDN_V120 3 No Yes ISDN_V110 4 No Yes VIRTUAL 5 No Yes ISDN_PIAFS 6 No Yes X75 9 No Yes ETHERNET 15 No Yes PPPATM 30 No Yes PPPOEOA 31 No Yes PPPOEOE 32 Yes Yes PPPOEOVLAN 33 Int g 0/0/0/0.1 Encapsulation dot1q 10(supported from release) Yes Yes 51 of 237

52 PPPOEOQINQ 34 Int g 0/0/0/0.1 Encapsulation dot1q 10 second dot1q 100(supported from release) Yes Yes VIRTUAL_PPPOEOE 35 N/A Yes Yes VIRTUAL_PPPOEOV 36 Int bundle- e Yes Yes LAN Encapsulation dot1q 10 VIRTUAL_PPPOEOQ 37 Int bundle- e Yes Yes INQ Encapsulation dot1q 10 second dot1q 100 IPSEC 38 No Yes IPOEOE 39 Yes Yes IPOEOVLAN 40 Int g 0/0/0/0.1 Encapsulation dot1q 10(supported from release) IPOEOQINQ 41 Int g 0/0/0/0.1 Encapsulation dot1q 10 second dot1q 100(supported from release) Yes Yes Yes Yes VIRTUAL_IPOEOE 42 N/A Yes Yes VIRTUAL_IPOEOVL 43 Int bundle- e Yes Yes AN Encapsulation dot1q 10 VIRTUAL_IPOEOQI NQ Before release, only session over bundle subinterface is supported. A bundle subinteface is a virtual interface, so 36, 37, 43, 44 are possible nas- port- type value derived from interface with BNG enabled. In release, with the support of BNG over physical interface, you will see type 33, 34, 40, Int bundle- e Encapsulation dot1q 10 second dot1q 100 Yes Yes 52 of 237

53 On the other hand, the NAS- Port- Type is made conpigurable for each main interface, or VLAN sub- interface. With a different NAS- Port- Type value conpigured on the interface, the NAS- Port and NAS- Port- ID gets formatted according to the formats depined globally for the new NAS- Port- Type conpigured on the interface, instead of the actual value of NAS- Port- Type that the interface has. This in turn sends different formats of NAS- Port, NAS- Port- ID and NAS- Port- Type to the RADIUS server for the subscribers under different production models. In the case of sub- interfaces, the hierarchy to be followed in deciding the format of NAS- Port- Type to be sent to the RADIUS server is: 1. Verify whether the NAS- Port- Type is conpigured on the sub- interface in which the subscriber session arrives. 2. If NAS- Port- Type is not conpigured on the sub- interface, verify whether it is conpigured on the main physical interface(or main bundle- etherent interface). The format of NAS- Port or NAS- Port- ID is based on the NAS- Port- Type retrieved in Step 1 or Step If NAS- Port- Type is conpigured on neither the sub- interface nor the main physical interface, the format of NAS- Port or NAS- Port- ID is based on the format of the default NAS- Port- Type of the sub- interface. 4. If a NAS- Port or NAS- Port- ID format is not conpigured for the NAS- Port- Type retrieved in steps 1, 2 or 3, the format of NAS- Port or NAS- Port- ID is based on the default formats of NAS- Port or NAS- Port- ID. Use following command to conpigure NAS- Port- Type per interface or sub- interface: aaa radius attribute nas-port-type <nas-port-type> The best of practices is to conpigure the nas- port- type per access- interface (bundle sub- interface) 53 of 237

54 4.4.2.AAA Attribute Format It is possible to depine a customized format for some attributes. The conpiguration syntax for creating a new format is: aaa attribute format <format-name> format-string [length] <string> *[<Identity-Attribute>] where: - format- name SpeciPies the name given to the attribute format. This name is referred when the format is applied on an attribute. - length (Optional) SpeciPies the maximum length of the formatted attribute string. If the Pinal length of the attribute string is greater than the value specipied in LENGTH, it is truncated to LENGTH bytes. The maximum value allowed for LENGTH is 255. If the argument is not conpigured, the default is also string Contains regular ASCII characters that includes conversion specipiers. Only the % symbol is allowed as a conversion specipier in the STRING. The STRING value is enclosed in double quotes. - Identity- Attribute IdentiPies a session, and includes user- name, ip- address, and mac- address. A list of currently- depined identity attributes is displayed on the CLI. In release following identity- attributes are supported. RP/0/RSP0/CPU0:Roy_BNG_1(config)#aaa attribute format TEST format-string "%s"? OR OR between two attributes addr Source IP address of subscriber circuit-id-tag Circuit-Id Tag client-mac-address MAC address of client client-mac-address-ietf MAC address of client in ietf format client-mac-address-raw MAC address of client in raw format dhcp-vendor-class DHCP vendor class name dhcpv6-interface-id DHCPv6 Interface-Id inner-vlan-id Inner VLAN ID needed to form NAS Port 54 of 237

55 outer-vlan-id Outer VLAN ID needed to form NAS Port physical-adapter Physical adapter needed to form NAS Port physical-chassis Physical chassis needed to form NAS Port physical-port Physical port needed to form NAS Port physical-slot Physical slot needed to form NAS Port physical-subslot Physical subslot needed to form NAS Port port-type Interface/Port type pppoe-session-id PPPOE Session Id remote-id-tag Remote-Id Tag username The name of the user In release following identity- attributes are supported. RP/0/RSP0/CPU0:Roy_BNG_1(config)#aaa attribute format TEST format-string "%s"? OR OR between two attributes addr Source IP address of subscriber circuit-id-tag Circuit-Id Tag client-mac-address MAC address of client client-mac-address-ietf MAC address of client in ietf format client-mac-address-raw MAC address of client in raw format dhcp-client-id DHCP Client Identifier dhcp-client-id-spl DHCP Client Id special string dhcp-user-class DHCP User Class dhcp-vendor-class DHCP vendor class name dhcpv6-interface-id DHCPv6 Interface-Id inner-vlan-id Inner VLAN ID needed to form NAS Port outer-vlan-id Outer VLAN ID needed to form NAS Port physical-adapter Physical adapter needed to form NAS Port physical-chassis Physical chassis needed to form NAS Port physical-port Physical port needed to form NAS Port physical-slot Physical slot needed to form NAS Port physical-subslot Physical subslot needed to form NAS Port port-type Interface/Port type pppoe-session-id PPPOE Session Id remote-id-tag Remote-Id Tag username The name of the user <cr> Once the format is depined, the FORMAT- NAME can be applied to various AAA attributes. currently, only 4 attributes could be customised in this way. - username (for authorisation) - Nas- Port- ID - calling- station- ID - called- station- ID The conpigurable AAA attributes that use the format capability are explained later. 55 of 237

56 4.4.3.Username To some extent, you can construct the username only for authorization in a customised way. The use of a particular attribute format for the username could vary on a per control policy base, another words, it could be per access- interface based. Further more, class- map in a control policy gives a more granular way to customise the format of a username. policy-map type control subscriber IPoE_WLAN event session-start match-first class type control subscriber IP do-until-failure 10 activate dynamic-template UNAUTH_TPL 20 authorize aaa list IPoE_WLAN format USERNAME_FORMAT password cisco aaa attribute format USERNAME_FORMAT format-string length 253 "%s" addr Besides the format attribute for username construction, you can also modify the username by add/strip the domain name. in this case, you must use authorization in the control policy. To strip a domain name in a username. aaa attribute format REMOVING_DOMAIN username-strip policy-map type control subscriber S99_CP_PTA_AUTHOR_REMOVE_DOMAIN event session-start match-first class type control subscriber S99_PTA do-until-failure 10 activate dynamic-template S99_DT_LCP event session-activate match-first class type control subscriber S99_PTA do-until-failure 10 authorize aaa list S99_AAA_list format REMOVING_DOMAIN password use-from-line 20 activate dynamic-template S99_DT_PTA_MIN Connect PPPoE session with username PPP1@S99 56 of 237

57 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: Send Access- Request to :1812 id 96, len 239 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: authenticator 4D E9 FE 0E C6 53 C3 BA - A9 63 B5 1E 05 E0 2C 0E RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: Vendor- Specific [26] 41 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: Acct- Session- Id [44] a3 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: NAS- Port [5] RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: NAS- Port- Id [87] 16 0/0/101/ RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: Vendor- Specific [26] 22 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: User- Name [1] 6 PPP1 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: Service- Type [6] 6 Framed[0] RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: User- Password [2] 18 * RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: Unsuppoted attribute. RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: Vendor- Specific [26] 33 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: Framed- Protocol [7] 6 PPP[0] RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: NAS- Port- Type [61] 6 Virtual PPPoEoQinQ[0] RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: Called- Station- Id [30] 4 99 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: Calling- Station- Id [31] 16 a857.4e06.4f47 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: Event- Timestamp [55] RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: Nas- Identifier [32] 11 Roy_BNG_1 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: NAS- IP- Address [4] RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: Updating last used server RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: Got global deadtime 0 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: Using global deadtime = 0 sec RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: Start timer thread rad_ident 96 remote_port 1812 remote_addr 0xac1258dd, socket rctx 0x5015ba34 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: Successfully sent packet and started timeout handler for rctx 0x5015ba34 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: rctx found is 0x5015ba34 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: Radius packet decryption complete with rc = 0 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: Received from id :1812, Access- Accept, len 20 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: RADIUS: authenticator 7B 6D AB 6C 0F F - 06 AD AF 37 B4 A2 70 C9 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: Freeing server group transaction_id ( C) RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: pack_length = 20 radius_len = 20 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: rad_nas_reply_to_client: Received response from id : 96,packet type 2 RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: (rad_nas_reply_to_client) Successfully decoded the response No error: PASS RP/0/RSP0/CPU0:May 5 00:37: : radiusd[1117]: (rad_nas_reply_to_client) Successfully stored the preferred server info 57 of 237

58 RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Mon May 5 00:37: UTC Interface: Bundle- Ether pppoe135 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Mon May 5 00:37: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {PPP} IPv4 Up requestors: 0x {PPP} IPv6 State: Down, Mon May 5 00:37: Mac Address: a857.4e06.4f47 Account- Session Id: a3 Nas- Port: User name: PPP1 Outer VLAN ID: 101 Inner VLAN ID: 99 Subscriber Label: 0x Created: Mon May 5 00:37: State: Activated Authentication: unauthenticated Authorization: authorized Ifhandle: 0x Session History ID: 20 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Mon May 5 00:37: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_LCP [cerr: No error][aaa: Success] event Session- Activate match- first [at Mon May 5 00:37: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 authorize aaa list S99_AAA_list [cerr: No error][aaa: Success] 20 activate dynamic- template S99_DT_PTA_MIN [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA: None Services: Name : S99_DT_LCP RP/0/RSP0/CPU0:Roy_BNG_1#sh sub sub- util subscriber RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber database? association Association between subscriber sessions and dynamic templates configuration Display subscriber configuration database information connection Client connection identifiers interface Mapping between subscriber labels and interface handles session Subscriber Management Subscriber Session information(cisco- support) statistics Subscriber database statistics summary Subscriber Database summary counts trace RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber manager sadb Mon May 5 00:37: UTC Show Subscriber Database traces(cisco- support) Sublabel: 0x Node_ID: Signature: 0xabcdef12 Version: 1 Rev: 14 Length: 294 Attribute list: of 237

59 1: parent- if- handle len= (1160) 2: port- type len= 4 Virtual PPPoE over QinQ 3: outer- vlan- id len= 4 101(65) 4: inner- vlan- id len= 4 99(63) 5: protocol- type len= 4 ppp 6: if- handle len= (3920) 7: client- mac- address len= 14 a857.4e06.4f47 8: string- session- id len= a3 9: nas- port len= ( ) 10: interface len= 14 0/0/101/ : dnis len= : formatted- clid len= 14 a857.4e06.4f47 13: username len= 4 PPP1 14: author_status len= 1 true 15: addr len= : vrf- id len= ( ) 17: ipv4- session- state len= 1 true To append a domain name to a username aaa attribute format ADDING_DOMAIN format-string "%s@added_domain" username policy-map type control subscriber S99_CP_PTA_AUTHOR_ADD_DOMAIN event session-start match-first class type control subscriber S99_PTA do-until-failure 10 activate dynamic-template S99_DT_LCP event session-activate match-first class type control subscriber S99_PTA do-until-failure 10 authorize aaa list S99_AAA_list format ADDING_DOMAIN password use-from-line 20 activate dynamic-template S99_DT_PTA_MIN Connect PPPoE session with username PPP1 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: Send Access- Request to :1812 id 145, len 252 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: authenticator 13 E D D DE BB 5C 44 9E RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: Acct- Session- Id [44] RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: Vendor- Specific [26] 41 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: NAS- Port [5] RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: NAS- Port- Id [87] 16 0/0/101/ RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: User- Name [1] 19 PPP1@added_domain RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: Service- Type [6] 6 Framed[0] 59 of 237

60 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: User- Password [2] 18 * RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: Unsuppoted attribute. RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: Vendor- Specific [26] 22 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: Vendor- Specific [26] 33 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: Framed- Protocol [7] 6 PPP[0] RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: NAS- Port- Type [61] 6 Virtual PPPoEoQinQ[0] RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: Called- Station- Id [30] 4 99 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: Calling- Station- Id [31] 16 a857.4e06.4f47 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: Nas- Identifier [32] 11 Roy_BNG_1 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: NAS- IP- Address [4] RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: Event- Timestamp [55] RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: Got global deadtime 0 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: Updating last used server RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: Using global deadtime = 0 sec RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: Start timer thread rad_ident 145 remote_port 1812 remote_addr 0xac1258dd, socket rctx 0x5015ba34 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: Successfully sent packet and started timeout handler for rctx 0x5015ba34 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: rctx found is 0x5015ba34 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: Radius packet decryption complete with rc = 0 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: Received from id :1812, Access- Accept, len 20 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: RADIUS: authenticator DF E2 30 CA 3A BE 3C 8B 88 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: Freeing server group transaction_id ( ) RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: pack_length = 20 radius_len = 20 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: rad_nas_reply_to_client: Received response from id : 145,packet type 2 RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: (rad_nas_reply_to_client) Successfully decoded the response No error: PASS RP/0/RSP0/CPU0:May 5 00:50: : radiusd[1117]: (rad_nas_reply_to_client) Successfully stored the preferred server info RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess al de Mon May 5 00:50: UTC Interface: Bundle- Ether pppoe249 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Mon May 5 00:50: IPv4 Address: , VRF: default Mac Address: a857.4e06.4f47 Account- Session Id: Nas- Port: User name: PPP1@added_domain Outer VLAN ID: 101 Inner VLAN ID: 99 Subscriber Label: 0x Created: Mon May 5 00:50: State: Activated Authentication: unauthenticated Authorization: authorized Access- interface: Bundle- Ether Policy Executed: policy- map type control subscriber S99_CP_PTA_AUTHOR_ADD_DOMAIN event Session- Start match- first [at Mon May 5 00:50: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_LCP [Succeeded] event Session- Activate match- first [at Mon May 5 00:50: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 authorize aaa list S99_AAA_list [Succeeded] 20 activate dynamic- template S99_DT_PTA_MIN [Succeeded] Session Accounting: disabled Last COA request received: unavailable 60 of 237

61 [Last IPv6 down] Disconnect Reason: RP/0/RSP0/CPU0:Roy_BNG_1#sh sub sub- util subscriber RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber manager sadb Mon May 5 00:50: UTC Sublabel: 0x Node_ID: Signature: 0xabcdef12 Version: 1 Rev: 14 Length: 303 Attribute list: : parent- if- handle len= (1160) 2: port- type len= 4 Virtual PPPoE over QinQ 3: outer- vlan- id len= 4 101(65) 4: inner- vlan- id len= 4 99(63) 5: protocol- type len= 4 ppp 6: if- handle len= (55a0) 7: client- mac- address len= 14 a857.4e06.4f47 8: string- session- id len= : nas- port len= (650065f9) 10: interface len= 14 0/0/101/ : dnis len= : formatted- clid len= 14 a857.4e06.4f47 13: username len= 17 PPP1@added_domain 14: author_status len= 1 true 15: addr len= : vrf- id len= ( ) 17: ipv4- session- state len= 1 true NAS-Port-ID By default NAS- Port- ID attribute will be Pilled with <slot>/<subslot>/<port>/ <vlan>. The format of the NAS- Port- ID attribute is customizable using the attribute format. Furthermore, you can conpigure different format for NAS- Port- ID for different Nas- port- type. Following is an example of creating a customized Nas- Port- ID attribute and apply a predepined attribute format to Nas- Port- ID attribute. aaa attribute format NAS_PORT_FORMAT format-string length 253 "eth%s/%s/%s:%s.%s %s0/0/0/0/0/0" physicalslot physical-subslot physical-port outer-vlan-id inner-vlan-id circuit-id-tag aaa radius attribute nas-port-id format NAS_PORT_FORMAT type of 237

62 Please be noted that when the access interface is a sub- interface of bundle- ethernet interface, the physical- slot=0, physical- subslot=0, physical- port=bundle- ID. In this way, you can assign this customized NAS- port- ID format to a certain Nas- port- type, the access- request for sessions under an access interface with that particular Nas- port- type will follow this depined format to build a NAS- Port- ID. If 'type' option is not specipied, then the Nas- Port- ID for all interface types is constructed according to the format name specipied in the command Called-Station-Id and Calling-Station-Id By default calling- station- id attribute will be Pilled with remote- id and called- station- id attribute will be Pilled with circuit- id. For PPPoE session, if the remote- id tag/circuit- id tag are present in the PPPoE packet, then the calling- station- id and called- station- id will not be included in the access- request/accounting- request packet without explicit conpiguration for the format of calling- station- id and called- station- id. For IPoE session, if the DHCP option82 remote- id /circuit- id sub options are not present in the DHCP discover packet, then the calling- station- id and called- station- id will not be included in the access- request/accounting- request packet without explicit conpiguration for the format of calling- station- id and called- station- id. 62 of 237

63 For IPoE, the remote- id /circuit- id could be inserted by BNG itself, no matter whether they are inserted by the access node. The inserted remote- id/circuit- id will be used to build the Called- Station- Id and Calling- Station- Id. To some extent, the inserted remote- id /circuit- id is also customisable.in this way, you can customise the Called- Station- Id and Calling- Station- Id indirectly. RP/0/RSP0/CPU0:Roy_BNG_1(config)#dhcp ipv4 profile TEST proxy relay information option remote-id REMOTE_ID RP/0/RSP0/CPU0:Roy_BNG_1(config)#dhcp ipv4 interface bundle-e proxy information option format-type circuit-id format-string "%s"? inner-vlan-id Inner vlan id tag outer-vlan-id Outer vlan id tag physical-chassis Rack physical-port Port physical-slot Slot physical-subport Subport physical-subslot Subslot The format of the called- station- id/calling- station- id attribute is customizable respectively using the attribute format. Furthermore, you can conpigure different format for called- station- id/calling- station- id for different Nas- port- type. Examples of constructing called- station- ID and calling- station- ID with per nas- port- type based customisation (left) v.s. system based customisation(right). 63 of 237

64 aaa attribute format INTF_ID format-string length 253 "%s/%s/%s/%s_%s:%s" physical-chassis physical-slot physical-subslot physical-port outer-vlan-id innervlan-id aaa attribute format FORMAT_CALLED_STATION_ID format-string length 253 "%s" inner-vlan-id aaa attribute format FORMAT_CALLING_STATION_ID mac-address aaa attribute format FORMAT_CALLED_STATION_ID_1 format-string length 253 "%s" outer-vlan-id aaa attribute format FORMAT_CALLING_STATION_ID_1 format-string length 253 "%s" dhcp-client-id-spl aaa radius attribute nas-port format e PPPPPPPPVVVVVVVVVVVVVVVVUUUUUUUU aaa radius attribute Nas-Port-ID format INTF_ID type 1 aaa radius attribute called-station-id format FORMAT_CALLED_STATION_ID_1 type 1 aaa radius attribute called-station-id format FORMAT_CALLED_STATION_ID aaa radius attribute calling-station-id format FORMAT_CALLING_STATION_ID_1 type 1 aaa radius attribute calling-station-id format FORMAT_CALLING_STATION_ID interface Bundle-Ether description student-99 DHCPv4 session aaa radius attribute nas-port-type Sync ipv4 point-to-point ipv4 unnumbered Loopback2099 service-policy type control subscriber S99_CP_DHCPV4_BASIC ipsubscriber ipv4 l2-connected initiator dhcp encapsulation ambiguous dot1q 201 seconddot1q rad_recv: Access- Request packet from host port 64459, id=44, lengt h=264 Cisco- AVPair = "client- mac- address=a857.4e06.4f47" Cisco- AVPair = "dhcp- vendor- class=msft 5.0" Acct- Session- Id = " c" NAS- Port = NAS- Port- Id = "0/0/0/201_201:99" Cisco- NAS- Port = "0/0/0/201_201:99" Service- Type = Outbound- User User- Name = "a857.4e06.4f47" User- Password = "cisco" NAS- Port- Type = Sync Called- Station- Id = "201" Calling- Station- Id = ".WN.OG" Event- Timestamp = Cisco- AVPair = "dhcp- client- id=\250wn\006og" NAS- Identifier = "Roy_BNG_1" NAS- IP- Address = interface Bundle-Ether description student-99 DHCPv4 session ipv4 point-to-point ipv4 unnumbered Loopback2099 service-policy type control subscriber S99_CP_DHCPV4_BASIC ipsubscriber ipv4 l2-connected initiator dhcp encapsulation ambiguous dot1q 201 seconddot1q rad_recv: Access- Request packet from host port 64459, id=47, lengt h=267 Cisco- AVPair = "client- mac- address=a857.4e06.4f47" Cisco- AVPair = "dhcp- vendor- class=msft 5.0" Acct- Session- Id = " f" NAS- Port = NAS- Port- Id = "0/0/201/99.201" Cisco- NAS- Port = "0/0/201/99.201" Service- Type = Outbound- User User- Name = "a857.4e06.4f47" User- Password = "cisco" NAS- Port- Type = 44 Called- Station- Id = "99" Calling- Station- Id = "a857.4e06.4f47" Event- Timestamp = Cisco- AVPair = "dhcp- client- id=\250wn\006og" NAS- Identifier = "Roy_BNG_1" NAS- IP- Address = of 237

65 RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber manager sadb Sun May 4 22:50: UTC Sublabel: 0x Node_ID: Signature: 0xabcdef12 Version: 1 Rev: 14 Length: 314 Attribute list: : protocol- type len= 4 dhcp 2: dhcp- client- id len= 6 ^hwn^fog 3: port- type len= 4 Serial 4: inner- vlan- id len= 4 99(63) 5: outer- vlan- id len= 4 201(c9) 6: client- mac- address len= 14 a857.4e06.4f47 7: parent- if- handle len= (11a0) 8: dhcp- vendor- class len= 8 MSFT 5.0 9: string- session- id len= c 10: nas- port len= (c900c900) 11: interface len= 16 0/0/0/201_201:99 12: dnis len= : formatted- clid len= 6.WN.OG 14: username len= 14 a857.4e06.4f47 15: author_status len= 1 true 16: addr len= : if- handle len= (1760) 18: vrf- id len= ( ) 19: ipv4- session- state len= 1 true RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber manager sadb Sun May 4 23:22: UTC Sublabel: 0x Node_ID: Signature: 0xabcdef12 Version: 1 Rev: 14 Length: 319 Attribute list: : protocol- type len= 4 dhcp 2: dhcp- client- id len= 6 ^hwn^fog 3: port- type len= 4 Virtual IP over QinQ 4: inner- vlan- id len= 4 99(63) 5: outer- vlan- id len= 4 201(c9) 6: client- mac- address len= 14 a857.4e06.4f47 7: parent- if- handle len= (11a0) 8: dhcp- vendor- class len= 8 MSFT 5.0 9: string- session- id len= f 10: nas- port len= (c900c900) 11: interface len= 14 0/0/201/ : dnis len= : formatted- clid len= 14 a857.4e06.4f47 14: username len= 14 a857.4e06.4f47 15: author_status len= 1 true 16: addr len= : if- handle len= (1820) 18: vrf- id len= ( ) 19: ipv4- session- state len= 1 true NAS-Port The format of the NAS- Port attribute is customizable, and furthermore, you can depine different NAS- Port format for different Nas- port- type. The approach of associating a predepined attribute format to the attribute is not applicable for NAS- Port, we use an alternative conpiguration. For more detail of nas- port format customization please visit bng/conpiguration/guide/ b_bng_cg43asr9k_chapter_010.html#task_2f9e7da9b8f647d3ba517cf9e5e22 8F0 Please be noted the nas- port format need to be conpigured explicitly. If a NAS- Port format is not conpigured for a NAS- Port- Type, the system looks for a default CLI conpiguration for the NAS- Port format. In the absence of both these conpigurations, for sessions with that particular NAS- Port- Type, the NAS- Port attribute is not sent to the RADIUS server. 65 of 237

66 4.4.7.Cisco-AVPair remote-id-tag, cuicuit-id-tag and dhcpv6-interface-id Please be noted that in the access- request message, the same string replecting the circuit id information will be carried in both adsl- vsa Agent- Circuit- Id and Cisco- AVPair remote- id- tag. Also, the same string replecting the remote id information will be carried in both adsl- vsa Agent- Remote- Id and cisco- AVPair remote- id- tag. Following are the behaviours how those two attributes are created. - DHCPV4 SESSION Regarding DHCPv4 session, when ASR9K acts as a DHCPv4 proxy, let s focus on Cisco- AVPair remote- id- tag and cuicuit- id- tag. - For IPoEv4 if the dhcpv4 option 82 is present in the FSOL, those information will be used in the AVPair. - For IPoEv4 if the dhcpv4 option 82 is not present in the FSOL and there are no circuit- id/remote- id inserted by CLI explicitly in ASR9K, those information will not be included in the AVpair. - For IPoEv4 if the dhcpv4 option 82 is present in the FSOL but circuit- id/remote- id are inserted by CLI in ASR9K, the inserted information will be included in the AVpair. - DHCPV6 SESSION Regarding DHCPv6 session, when ASR9K acts as a DHCPv6 proxy, let s focus on Cisco- AVPair remote- id- tag and dhcpv6- interface- id - DHCPv6 option 37 is equivalent of DHCPv4 option 82 remote- id, which will be put into AVPair remote- id- tag. 66 of 237

67 - DHCPv6 option 18 is equivalent to DHCPv4 option 82 circuit- id, but this information will not be present in AVpair circuit- id- tag, instead, it is put into another AVPair named dhcpv6- interface- id - For IPoEv6 if the dhcpv6 option 18 and option 37 are present in the FSOL, those information will be used in the AVPair, option 18 for remote- id- tag and option 37 for dhcpv6- interface- id. - For IPoEv6 if the dhcpv6 option 18 and option 37 are not present in the FSOL, ASR9K system will generate a remote- ID and interface- id automatically and those system generated information will be included in the AVpair. - For IPoEv6 if the dhcpv6 option 18 and option 37 are present in the FSOL but circuit- id/interface- id are inserted by CLI in ASR9K, the inserted information will be included in the AVpair. - PPPOE SESSION Regarding PPPoE session, let s focus on Cisco- AVPair remote- id- tag and cuicuit- id- tag.i - For PPPoE if those information are present in the PPPoE tag in PPPoE PADI/PADR packet, those information will be used in the AVPair. - For PPPoE if those information are not present in the PPPoE tag in PPPoE PADI/PADR packet, those information will not be included in the AVpair. - There is no way to insert pppoe circuit- id/remote- id in ASR9K. PPPoE circuit- id and remote- id are depined by ADSL forum, basically it s a tag in PPPoE PADI and PADR packet inserted by the DSLAM or other access node supposedly to identify the DSLAM and/or the subscriber. You can Pind more information in forum.org/technical/download/ TR- 101.pdf. it s quite like the DHCP opton 82 in context of DHCP initiated IPoE session. In the BNG you can use following show command to Pind if there is pppoe circuit- id/remote- id present 67 of 237

68 RP/0/0/CPU0:demo#show pppoe interfaces GigabitEthernet0/1/0/0.pppoe1 GigabitEthernet0/1/0/0.pppoe1 is Complete Session id: 1 Access interface: GigabitEthernet0/1/0/0 BBA- Group: blue Local MAC address: aabb.cc Remote MAC address: aabb.cc Tags: Service- Name: service1 Max- Payload: 1500 IWF Circuit- ID: circuit1 Remote- ID: remote1 5. Chapter 5, Attributes in Access-Accept - configure a session. 5.1.convention - You see a example of the radius attribute here instead of a syntax. - The referred conpig means you need those conpig on the box to work together with the attributes downloaded to achieve a goal. - Equivalent conpiguration in dynamic- template is an alternative to the radius attributes which can work together with the referred conpig to achieve the same goal. - You will see same attributes be explained in in difference clause for different use case( for example, PPP and IPoE session respectively), that is because the handling of some attributes varies on session type basis. 68 of 237

69 5.2.attributes usage in detail NO. 1 V4 UNNUMBERED Function To specify the IPv4 unnumbered interface for PPPoE/IPoE session. Assigning an unnumbered interface to a V4 session is mandatory to have the IPv4 protocol stack up for a session. Attributes Cisco- AVPair = ipv4- unnumbered=loopback12 Referred configura.on on BNG interface Loopback12 ipv4 address Equivalent con?iguration in dynamic- template dynamic-template type ppp TEST ipv4 unnumbered loopback 12 Notes - Applicable for PPPoE PTA, DHCP triggered IPoE, PKT triggered IPoE, static session. - Never include this attribute in the access- accept for a LAC session. - This is the attribute to enable IPv4 address family for a session. NO. 2 V4 POOL FOR PPP Function To specify the name of the IPv4 pool for a PPPoE session. Attributes Cisco- avpair = addr- pool=s99_pool_pppv4 69 of 237

70 or Framed- pool = "S99_POOL_PPPV4" Referred configura.on on BNG pool vrf default ipv4 S99_POOL_PPPV4 address-range Equivalent con?iguration in dynamic- template dynamic-template type ppp TEST ppp ipcp peer-address pool S99_POOL_PPPV4 Notes - Applicable for PPPoE PTA - Never include this attribute in the access- accept for a LAC session. - the vrf the pool belong to must consist with the vrf coniigured for the session. NO. 3 V4 ADDRESS FOR PPPOE PTA SESSION Function To specify the IPv4 address assigned to a PPPoE client Attributes Cisco- avpair = ip- addr= or 70 of 237

71 Framed- Ip- Address = Referred configura.on on BNG n/a Equivalent con?iguration in dynamic- template n/a Notes - Applicable for PPPoE PTA session. - Never include this attribute in the access- accept for a LAC session. - usually go together with the attribute of net mask. - the ipv4 address will be negotiate with client via PPPoE IPCP NO. 4 V4 NETMASK FOR PPPOE PTA SESSION Function To specify the IPv4 address netmask assigned to a PPPoE client Attributes Cisco- avpair = netmask= or Framed- IP- Netmask = Referred configura.on on BNG n/a Equivalent con?iguration in dynamic- template dynamic-template type ppp TEST ppp ipcp mask of 237

72 Notes - Applicable for PPPoE PTA session. - Never include this attribute in the access- accept for a LAC session. - usually go together with the attribute of ipv4 address. - the netmask will be negotiated with client via PPPoE IPCP only when PPP client ask for that in a IPCP confreq, otherwise this will not be negotiated to the client. it does not matter for a PPP client given the point- to- point nature of PPP. NO. 5 V4 DNS SERVER FOR PPP PTA Function To specify the ipv4 address of the primary and secondary DNS server for PPPoE session. Attributes Cisco- avpair = "primary- dns= ", Cisco- avpair = "secondary- dns= " or Ascend- Client- Primary- DNS := Ascend- Client- Secondary- DNS = Referred configura.on on BNG n/a Equivalent con?iguration in dynamic- template dynamic-template type ppp TEST ppp ipcp dns Note - radius attribute for v4 DNS for DHCP triggered IPoE session has not been supported yet as of 5.2.0, another word, you can download the DNS attribute from radius server, but BNG will not translate it to DHCP options in the offer message to the client. 72 of 237

73 NO. 6 IPV4 MTU FOR PPPOE PTA SESSION Function To specify the IPv4 MTU for the PPPoE session interface. Attributes Cisco- avpair = ipv4- mtu=1200 (IETF asribute Framed- MTU = 1200 does not work since the lack of disynguishing between v4 and v6) Referred configura.on on BNG n/a Equivalent con?iguration in dynamic- template dynamic-template type ppp TEST ipv4 mtu 1200 Notes - Applicable for PPPoE PTA - Never include this attribute in the access- accept for a LAC session. - normally, BNG will honor the MRU sent by the PPP client during LCP, in that case, the ipv4 mtu coniigured in a dynamic template or downloaded from a radius server does not effect, unless you ignore the PPP MRU explicitly using following CLI dynamic- template type ppp S99_DT_LCP ppp mru ignore - be careful about the IP fragmenting caused when specify a small MTU. ASR9K BNG does not forward the fragmented packet via a session to a subscriber. - this approach has no impact on the MTU on the CPE. - Use following CLI to check the ipv4 MTU for a session interface. RP/0/RSP0/CPU0:Roy_BNG_1# show ipv4 int Bundle- Ether pppoe1529 Bundle- Ether pppoe1529 is Up, ipv4 protocol is Up Vrf is default (vrfid 0x ) Interface is unnumbered. Using address of Loopback1099 ( /24) MTU is 1500 (1200 is available to IP) Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is disabled 73 of 237

74 ICMP redirects are never sent ICMP unreachables are always sent ICMP mask replies are never sent Table Id is 0xe Notes - Applicable for PPPoE PTA - Never include this attribute in the access- accept for a LAC session. - the DNS server ipv4 address will be negotiate with client via PPP IPCP. - please be noted that Cisco- avpair += wins- server= is unsupported, with this avpair included in the user- proiile would fail the session establishment. No. 7 V4 framed- route for PPP PTA session Function To specify the IPv4 route associated to a PPPoE PTA session. Attributes Framed- route = tag 7 For PPPoE, the syntax is Framed- Route = vrf <prepix VRF> <prepix> <prepix mask> vrf <next hop vrf> <next hop prepix> <AD> tag <tag id> - Here the next hop prepix must be or absent, otherwise the installation of the route would fail. - AD is optional, without the presence of AD, the route will have a AD of 1. - Tag is optional. - vrf <prepix VRF> and vrf <next hop vrf> are ignored by ASR9K, they can be included in the attribute and have any value but take no effect. Referred configura.on on BNG n/a 74 of 237

75 Equivalent con?iguration in dynamic- template n/a Notes - For PPPoE session, this attribute is supported from day 1. - There are some feature disparities between PPPoE and IPoE - PPPoE Cross VRF route is not supported, which means that the session, the prepix and next- hop of the route must be in the same VRF, the route will be installed into the VRF to which the session belong ( the vrf specipied by dyamic- template or Avpair vrf- id coming along with the framed- route on authentication). To install a framed- route into a VRF ( for example VRF_1) where the session is reside in, you can download following attribute from the radius and the route of will be installed to vrf VRF_1. Cisco- AVpair= vrf- id=vrf_1 Framed- route= COA pushing framed- route for pppoe session is not supported. - IPoE( list here for comparison purpose, see more detail in later clause) Cross VRF route is supported. The session and prepix could be in one VRF, the next- hop could be in another vrf. COA pushing is supported for IPoE session. - Never include this attribute in the access- accept for a LAC session. Veri?ied framed- route attribute format for pppoe PTA session 1) Pre?ix+mask only PPP10@S99 Cleartext- Password := "cisco" Framed- Route = " " 75 of 237

76 RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de in display snippet - Attribute List: 0x500f9a18 1: route len= 22 value= RP/0/RSP0/CPU0:Roy_BNG_1#sh route subscriber Wed Jun 25 22:40: UTC A A /32 is directly connected, 00:00:41, Bundle- Ether pppoe /24 is directly connected, 00:00:41, Bundle- Ether pppoe36 RP/0/RSP0/CPU0:Roy_BNG_1#sh route /24 Wed Jun 25 22:41: UTC Routing entry for /24 Known via "subscriber", distance 1, metric 0 (connected) Installed Jun 25 22:40: for 00:01:00 Routing Descriptor Blocks directly connected, via Bundle- Ether pppoe36 Route metric is 0 No advertising protos. 2) Pre?ix+mask+next- hop ( identical to Framed- Route = " ) PPP11@S99 Cleartext- Password := "cisco" Framed- Route = " " RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de in display snippet - Attribute List: 0x500f9a28 1: route len= 30 value= RP/0/RSP0/CPU0:Roy_BNG_1#sh route subscriber Wed Jun 25 22:42: UTC A A /32 is directly connected, 00:00:32, Bundle- Ether pppoe /24 is directly connected, 00:00:32, Bundle- Ether pppoe39 RP/0/RSP0/CPU0:Roy_BNG_1#sh route /24 Wed Jun 25 22:42: UTC Routing entry for /24 Known via "subscriber", distance 1, metric 0 (connected) Installed Jun 25 22:42: for 00:00:47 Routing Descriptor Blocks directly connected, via Bundle- Ether pppoe39 Route metric is 0 No advertising protos. 76 of 237

77 3) with AD and tag Cleartext- Password := "cisco" Framed- Route = " tag 10 RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de in display snippet - User Profile received from AAA: Attribute List: 0x500f9a30 1: route len= 31 value= tag 10 RP/0/RSP0/CPU0:Roy_BNG_1#sh route /24 Wed Jun 25 22:45: UTC Routing entry for /24 Known via "subscriber", distance 4, metric 0 (connected) Tag 10 Installed Jun 25 22:44: for 00:01:04 Routing Descriptor Blocks directly connected, via Bundle- Ether pppoe40 Route metric is 0 No advertising protos. 4) with AD, but no tag PPP13@S99 Cleartext- Password := "cisco" Framed- Route = " " RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de in display snippet - 1: route len= 32 value= RP/0/RSP0/CPU0:Roy_BNG_1#sh route subscriber Wed Jun 25 22:47: UTC A A /32 is directly connected, 00:00:35, Bundle- Ether pppoe /24 is directly connected, 00:00:35, Bundle- Ether pppoe41 RP/0/RSP0/CPU0:Roy_BNG_1#sh route /24 Wed Jun 25 22:48: UTC Routing entry for /24 Known via "subscriber", distance 4, metric 0 (connected) Installed Jun 25 22:47: for 00:00:58 Routing Descriptor Blocks directly connected, via Bundle- Ether pppoe41 Route metric is 0 No advertising protos. 77 of 237

78 5) with tag, but no AD Cleartext- Password := "cisco" Framed- Route = " tag 10" RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de in display snippet - Attribute List: 0x500f9a38 1: route len= 37 value= tag 10 RP/0/RSP0/CPU0:Roy_BNG_1#sh route subscriber Wed Jun 25 23:09: UTC A A /32 is directly connected, 00:00:22, Bundle- Ether pppoe /24 is directly connected, 00:00:22, Bundle- Ether pppoe42 RP/0/RSP0/CPU0:Roy_BNG_1#sh route /24 Wed Jun 25 23:09: UTC Routing entry for /24 Known via "subscriber", distance 1, metric 0 (connected) Tag 10 Installed Jun 25 23:09: for 00:00:38 Routing Descriptor Blocks directly connected, via Bundle- Ether pppoe42 Route metric is 0 No advertising protos. 6) full format PPP15@S99 Cleartext- Password := "cisco" Framed- Route = " tag 10" RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de in display snippet - 1: route len= 39 value= tag 10 RP/0/RSP0/CPU0:Roy_BNG_1#sh route subscriber Wed Jun 25 23:11: UTC A A /32 is directly connected, 00:00:23, Bundle- Ether pppoe /24 is directly connected, 00:00:23, Bundle- Ether pppoe44 RP/0/RSP0/CPU0:Roy_BNG_1#sh route /24 Wed Jun 25 23:11: UTC Routing entry for /24 Known via "subscriber", distance 4, metric 0 (connected) Tag 10 Installed Jun 25 23:11: for 00:00:35 Routing Descriptor Blocks directly connected, via Bundle- Ether pppoe44 Route metric is 0 No advertising protos. 78 of 237

79 7) Session and framed- route in vrf Cleartext- Password := "cisco" Cisco- avpair = "ipv4- unnumbered=loopback1199", Cisco- avpair += "addr- pool=s99_pool_pppv4_vrf", Cisco- avpair += "vrf- id=s99_vrf", Framed- Route = " tag 10" PPP session do not support cross VRF framed- route, which means the framed- route must be installed in the same vrf in which the session get terminated. Within the attribute you can have a vrf name of the preiix or/and the vrf name of the next- hop, but they are ignored by BNG when handling the attribute. Another word, following four attributes are equivalent, leading to the same result as following. Framed- Route = " tag 10" Framed- Route = vrf S99_VRF tag 10" Framed- Route = "vrf S100_VRF tag 10 Framed- Route = "vrf S99_VRF vrf S100_VRF tag 10" RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all Wed Jun 25 23:54: UTC Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated, ID - Idle, DN - Disconnecting, ED - End Type Interface State Subscriber IP Addr / Prefix LNS Address (Vrf) PPPoE:PTA BE pppoe108 AC (S99_VRF) RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de in Wed Jun 25 23:51: UTC User Profile received from AAA: Attribute List: 0x500f9ad8 1: ipv4- unnumbered len= 12 value= Loopback1199 2: addr- pool len= 18 value= S99_POOL_PPPV4_VRF 3: ip- vrf len= 7 value= S99_VRF 4: route len= 39 value= tag 10 RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S99_VRF subscriber Wed Jun 25 23:52: UTC A A /32 is directly connected, 00:01:26, Bundle- Ether pppoe /24 is directly connected, 00:01:26, Bundle- Ether pppoe of 237

80 RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S99_VRF /24 Wed Jun 25 23:52: UTC Routing entry for /24 Known via "subscriber", distance 4, metric 0 (connected) Tag 10 Installed Jun 25 23:51: for 00:01:48 Routing Descriptor Blocks directly connected, via Bundle- Ether pppoe108 Route metric is 0 No advertising protos. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all Thu Jun 26 00:19: UTC Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated, ID - Idle, DN - Disconnecting, ED - End Type Interface State Subscriber IP Addr / Prefix LNS Address (Vrf) PPPoE:PTA BE pppoe121 AC (S99_VRF) RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Thu Jun 26 00:19: UTC - display snippet - User Profile received from AAA: Attribute List: 0x500f9af0 1: ipv4- unnumbered len= 12 value= Loopback1199 2: addr- pool len= 18 value= S99_POOL_PPPV4_VRF 3: ip- vrf len= 7 value= S99_VRF 4: route len= 51 value= vrf S99_VRF tag 10 RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S99_VRF subscriber Thu Jun 26 00:19: UTC A /32 is directly connected, 00:00:39, Bundle- Ether pppoe121 A /24 is directly connected, 00:00:39, Bundle- Ether pppoe121 RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all Wed Jun 25 23:54: UTC Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated, ID - Idle, DN - Disconnecting, ED - End Type Interface State Subscriber IP Addr / Prefix LNS Address (Vrf) PPPoE:PTA BE pppoe122 AC (S99_VRF) RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal User Profile received from AAA: Attribute List: 0x500f9af0 80 of 237

81 1: ipv4- unnumbered len= 12 value= Loopback1199 2: addr- pool len= 18 value= S99_POOL_PPPV4_VRF 3: ip- vrf len= 7 value= S99_VRF 4: route len= 52 value= vrf S100_VRF tag 10 RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S100_VRF Thu Jun 26 00:22: UTC % No matching vrf found RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S99_VRF subscriber Thu Jun 26 00:22: UTC A /32 is directly connected, 00:00:40, Bundle- Ether pppoe122 A /24 is directly connected, 00:00:40, Bundle- Ether pppoe122 RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess al Thu Jun 26 23:30: UTC Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated, ID - Idle, DN - Disconnecting, ED - End Type Interface State Subscriber IP Addr / Prefix LNS Address (Vrf) PPPoE:PTA BE pppoe5 AC (S99_VRF) RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all detail internal Thu Jun 26 23:25: UTC User Profile received from AAA: Attribute List: 0x500f9cec 1: ipv4- unnumbered len= 12 value= Loopback1199 2: addr- pool len= 18 value= S99_POOL_PPPV4_VRF 3: ip- vrf len= 7 value= S99_VRF 4: route len= 64 value= vrf S99_VRF vrf S100_VRF tag 10 RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S99_VRF subscriber Thu Jun 26 23:26: UTC A /32 is directly connected, 00:00:19, Bundle- Ether pppoe5 A /24 is directly connected, 00:00:19, Bundle- Ether pppoe5 RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S99_VRF /24 Thu Jun 26 23:26: UTC Routing entry for /24 Known via "subscriber", distance 4, metric 0 (connected) Tag 10 Installed Jun 26 23:25: for 00:00:36 Routing Descriptor Blocks directly connected, via Bundle- Ether pppoe5 Route metric is 0 81 of 237

82 No advertising protos. NO. 8 V4 POOL FOR DHCP Function To specify the name of the IPv4 pool for DHCPv4 triggered IPoE session to get address assigned from, when ASR9K act as DHCPv4 SERVER.(5.1.0 release onward) Attributes Cisco- avpair = addr- pool=s99_pool_dhcpv4_2 or Framed- pool = S99_POOL_DHCPV4_2" Referred configura.on on BNG dhcp ipv4 profile S99_SERVER_PROFILE server lease pool S99_POOL_DHCPV4 < not necessary, put here on purpose to show that this configure will be overrode by the pool name specified in radius attribute. subnet-mask < not necessary, put here on purpose to show that this configure will be overrode by the mask defined in the pool. default-router interface Bundle-Ether server profile S99_SERVER_PROFILE pool vrf default ipv4 S99_POOL_DHCPV4 < not necessary, put here on purpose to show that this configure will be overrode by the pool name specified in radius attribute. network /24 default-router of 237

83 pool vrf default ipv4 S99_POOL_DHCPV4_2 < this is the definition for the pool used by radius attributes. network /24 default-router Equivalent con?iguration in dynamic- template n/a But you can deiine the ipv4 pool name statically in a dhcp ipv4 server proiile or it s class. dhcp ipv4 profile SERVER_PROFILE server pool S99_POOL_DHCPV4_2 or dhcp ipv4 profile SERVER_PROFILE server class CLASS_TEST pool S99_POOL_DHCPV4_2 Notes - Applicable for DHCPv4 triggered IPoE session - here the ASR9K must act as a DHCPv4 server, this is part of the so called DHCP radius proxy feature.. - the vrf the pool belong to must consist with the vrf coniigured for the session. - Note, with above coniiguration of pool, the net mask coniigured in the pool will not be overrode by net mask downloaded from radius server. See detail in following example. User- pro?ile Sending Access- Accept of id 46 to port Cisco- AVPair = "ipv4- unnumbered=loopback2099" Cisco- AVPair += "addr- pool=s99_pool_dhcpv4_2" Cisco- AVPair += "primary- dns= " Cisco- AVPair += "secondary- dns= " Cisco- AVPair += "ipv4- mtu=1200" Framed- IP- Netmask += Session display RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Tue May 13 16:17: UTC Interface: Bundle- Ether ip6 Circuit ID: Unknown Remote ID: Unknown Type: IP: DHCP- trigger IPv4 State: Up, Tue May 13 16:09: IPv4 Address: , VRF: default 83 of 237

IPv4 Up helpers: 0x00000040 {IPSUB} IPv4 Up requestors: 0x00000040 {IPSUB} Mac Address: 3c07.545f.

84 IPv4 Up helpers: 0x {IPSUB} IPv4 Up requestors: 0x {IPSUB} Mac Address: 3c07.545f.c041 display snippet - User Profile received from AAA: Attribute List: 0x500f97ac 1: ipv4- unnumbered len= 12 value= Loopback2099 2: addr- pool len= 17 value= S99_POOL_DHCPV4_2 3: primary- dns len= 4 value= : secondary- dns len= 4 value= : ipv4- mtu len= 4 value= 1200(4b0) 6: netmask len= 4 value= < dose not take effect in this case NO. 9 - V4 ADDRESS FOR DHCP SESSION 84 of 237

85 Function To specify the IPv4 address assigned to a DHCPv4 triggered IPoE session, when ASR9K act as DHCPv4 SERVER.(5.1.0 release onward) Attributes Cisco- avpair = ip- addr= or Framed- Ip- Address = Referred configura.on on BNG dhcp ipv4 profile S99_SERVER_PROFILE server lease subnet-mask default-router interface Bundle-Ether server profile S99_SERVER_PROFILE Equivalent con?iguration in dynamic- template n/a Notes - Applicable for DHCPv4 triggered IPoE session - here the ASR9K must act as a DHCPv4 server, this is part of the so called DHCP radius proxy feature.. - usually go together with the attribute of net mask if there is no local deiinition in the dhcp ipv4 proiile coniiguration block. - Note, no attribute for default- gateway, so you need defaut- gateway deiined locally in the dhcp ipv4 proiile coniiguration block. - the ipv4 address will be negotiate with client via DHCP. - Note, the RADIUS speciiied address assigned to subscriber is not reilected in the usage of local IPv4 pool. In fact, with speciiic ipv4 address assigned by radius, you do not even need an IPv4 pool coniigured locally in this case, and the address- pool AVpair in the access- accept shows in following example is also insigniiicant. But you can still Iind the dhcp binding entry for that session. 85 of 237

86 RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Tue May 13 15:34: UTC Interface: Bundle- Ether ip1 Circuit ID: Unknown Remote ID: Unknown Type: IP: DHCP- trigger IPv4 State: Up, Tue May 13 15:21: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {IPSUB} IPv4 Up requestors: 0x {IPSUB} - snip display - User Profile received from AAA: Attribute List: 0x500f97ac 1: ipv4- unnumbered len= 12 value= Loopback2099 2: addr- pool len= 17 value= S99_POOL_DHCPV4_2 < useless with the presence of addr attributes downloaded 3: primary- dns len= 4 value= : secondary- dns len= 4 value= : addr len= 4 value= : netmask len= 4 value= < override the local defined /32 mask in above config, PC gets /8 address. Services: Name : S99_DT_DHCPV4_MIN Service- ID : 0x Type : Template Status : Applied [Event History] May 13 15:21: IPv4 Start May 13 15:21: SUBDB produce done May 13 15:21: IPv4 Up VRF: default Pool Id: 43 Pool Scope: VRF Specific Pool Prefix Length: 0 Used: 0 Excl: 1 Free: 253 Total: 254 RP/0/RSP0/CPU0:Roy_BNG_1#sh pool ipv4 name S99_POOL_DHCPV4_2 Tue May 13 15:36: UTC Pool S99_POOL_DHCPV4_2 Allocations Utilization: 0% RP/0/RSP0/CPU0:Roy_BNG_1#sh dhcp ipv4 server binding Tue May 13 16:02: UTC Lease MAC Address IP Address State Remaining Interface VRF Sublabel of 237

87 3c07.545f.c BOUND 460 BE default 0x4c NO V4 NETMASK FOR DHCP SESSION Function To specify the IPv4 address netmask assigned to a DHCPv4 triggered IPoE session, when ASR9K act as DHCPv4 SERVER.(5.1.0 release onward) Attributes Cisco- avpair = netmask= or Framed- IP- Netmask = Referred configura.on on BNG dhcp ipv4 profile S99_SERVER_PROFILE server lease default-router interface Bundle-Ether server profile S99_SERVER_PROFILE Equivalent con?iguration in dynamic- template n/a But you can deiine the mask statically in a dhcp ipv4 server proiile or it s class. dhcp ipv4 profile SERVER_PROFILE server subnet-mask or 87 of 237

88 dhcp ipv4 profile SERVER_PROFILE server class TEST_CLASS subnetmask Notes - Applicable for DHCPv4 triggered IPoE session - here the ASR9K must act as a DHCPv4 server, this is part of the so called DHCP radius proxy feature.. - usually go together with the attribute of IPv4 address. - the ipv4 address net mask will be negotiated with client via DHCP. No V4 framed- route for IPoE Function To specify the IPv4 route associated to an IPoE session. Attributes Framed- route = tag 7 For IPoE, the syntax is Framed- Route = vrf <prepix VRF> <prepix> <prepix mask> vrf <next hop vrf> <next hop prepix> <AD> tag <tag id> - vrf <prepix VRF> is optional. The route will be installed into the vrf indicated explicitly by vrf <prepix VRF>, if there is no vrf <prepix VRF> in the attribute, the route will be installed into the vrf where the session belong, which is determined by the conpig in the dynamic- template of the downloaded Csico- AVPair vrf- id. - prepix and prepix mask are mandatory. - vrf <next hop vrf> is optional. The route will has a next- hop indicated explicitly by vrf <next hop vrf>, but if there is no vrf <next hop vrf> in the attribute, the next- hop will follow the vrf where the session 88 of 237

89 belong, which is determined by the conpig in the dynamic- template of the downloaded Csico- AVPair vrf- id. <next hop prepix> is optional, without <next hop prepix> specipied, the address assigned to the session by DHCP will be used as the next hop. - AD is optional, without the presence of AD, the route will have a AD of 1. - tag is optional. Referred configura.on on BNG n/a Equivalent con?iguration in dynamic- template n/a Notes - For IPoE session(both DHCP and packet triggered session), this attributes is supported from release. - Cross VRF route is supported for IPoE session. The session and prepix could be in one VRF, the next- hop could be in another VRF. - COA pushing is supported for IPoE session. Veri?ied framed- route attribute format for pppoe PTA session 1) pre?ix and netmask only(in default vrf) a857.4e06.4f47 Cleartext- Password := "cisco" Framed- Route = " " Please be noted that the the next- hop is not speciiied in the attribute and BNG use the address assigned by DHCP to the client as the next- hop in it s routing table. 89 of 237

90 RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de in Fri Jun 27 11:14: UTC Interface: Bundle- Ether ip2 IPv4 Address: , VRF: default display snippet User Profile received from AAA: Attribute List: 0x500f96ac 1: route len= 22 value= Services: Name : S99_DT_DHCPV4_MIN Service- ID : 0x Type : Template Status : Applied [Event History] Jun 27 11:14: IPv4 Start Jun 27 11:14: SUBDB produce done Jun 27 11:14: IPv4 Up RP/0/RSP0/CPU0:Roy_BNG_1#sh route subscriber Fri Jun 27 11:15: UTC A /32 is directly connected, 00:00:13, Bundle- Ether ip2 A /24 [1/0] via , 00:00:13 RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1#sh route /24 Fri Jun 27 11:17: UTC Routing entry for /24 Known via "subscriber", distance 1, metric 0 Installed Jun 27 11:14: for 00:02:12 Routing Descriptor Blocks , from Route metric is 0 No advertising protos. 2) pre?ix and netmask with as next hop, all in default vrf a857.4e06.4f47 Cleartext- Password := "cisco" Framed- Route = " Please be noted that the the next- hop is in the attribute and BNG use the address assigned by DHCP to the client as the next- hop in it s routing table, identical to scenario 1). RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Fri Jun 27 11:25: UTC Interface: Bundle- Ether ip3 IPv4 Address: , VRF: default snippet User Profile received from AAA: Attribute List: 0x500f96bc 90 of 237

91 1: route len= 30 value= Services: Name : S99_DT_DHCPV4_MIN Service- ID : 0x Type : Template Status : Applied [Event History] Jun 27 11:25: IPv4 Start Jun 27 11:25: SUBDB produce done Jun 27 11:25: IPv4 Up RP/0/RSP0/CPU0:Roy_BNG_1#sh route subscriber Fri Jun 27 11:25: UTC A /32 is directly connected, 00:00:17, Bundle- Ether ip3 A /24 [1/0] via , 00:00:17 RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1#sh route /24 Fri Jun 27 11:25: UTC Routing entry for /24 Known via "subscriber", distance 1, metric 0 Installed Jun 27 11:25: for 00:00:26 Routing Descriptor Blocks , from Route metric is 0 No advertising protos. 3) pre?ix and netmask with speci?ic next hop and AD and tag, no VRF speci?ied. a857.4e06.4f47 Cleartext- Password := "cisco" Framed- Route = " tag 11 Please be noted that in this case, the the next- hop is which is indicated in the attribute, rather than the address assigned by DHCP to the client. Also see the AD and tag works as expected. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Fri Jun 27 11:32: UTC Interface: Bundle- Ether ip4 IPv4 Address: , VRF: default User Profile received from AAA: Attribute List: 0x500f9728 1: route len= 39 value= tag 11 RP/0/RSP0/CPU0:Roy_BNG_1#sh route subscriber Fri Jun 27 11:32: UTC A /32 is directly connected, 00:00:19, Bundle- Ether ip4 A /24 [5/0] via , 00:00:19 RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1# 91 of 237

92 RP/0/RSP0/CPU0:Roy_BNG_1#sh route /24 Fri Jun 27 11:32: UTC Routing entry for /24 Known via "subscriber", distance 5, metric 0 Tag 11 Installed Jun 27 11:32: for 00:00:29 Routing Descriptor Blocks , from Route metric is 0 No advertising protos. 4) pre?ix and net mask with speci?ic next hop in another explicit vrf ( vrf INTERNET) a857.4e06.4f47 Cleartext- Password := "cisco" Framed- Route = " vrf INTERNET tag 11" RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Fri Jun 27 11:39: UTC Interface: Bundle- Ether ip5 IPv4 Address: , VRF: default display snippet User Profile received from AAA: Attribute List: 0x500f974c 1: route len= 52 value= vrf INTERNET tag 11 RP/0/RSP0/CPU0:Roy_BNG_1#sh route subscriber Fri Jun 27 11:39: UTC RP/0/RSP0/CPU0:Roy_BNG_1#sh route /24 Fri Jun 27 11:39: UTC Routing entry for /24 Known via "subscriber", distance 5, metric 0 Tag 11 Installed Jun 27 11:39: for 00:00:33 Routing Descriptor Blocks , from A /32 is directly connected, 00:00:25, Bundle- Ether ip5 A /24 [5/0] via (nexthop in vrf INTERNET), 00:00:25 Nexthop in Vrf: "INTERNET", Table: "default", IPv4 Unicast, Table Id: 0xe Route metric is 0 No advertising protos. 5) pre?ix and net mask without speci?ic next hop address, but nexhop in another vrf ( vrf INTERNET) 92 of 237

93 a857.4e06.4f47 Cleartext- Password := "cisco" Framed- Route = " vrf INTERNET 5 tag 11" Fri Jun 27 11:46: UTC A /32 is directly connected, 00:00:15, Bundle- Ether ip6 A /24 [5/0] via (nexthop in vrf INTERNET), 00:00:15 6) session in default vrf, pre?ix in another vrf(vrf S99_VRF), next hop in the third VRF.( vrf INTERNET) a857.4e06.4f47 Cleartext- Password := "cisco" Framed- Route = "vrf S99_VRF vrf INTERNET 5 tag 11" RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Fri Jun 27 11:53: UTC Interface: Bundle- Ether ip7 IPv4 Address: , VRF: default User Profile received from AAA: Attribute List: 0x500f9758 1: route len= 56 value= vrf S99_VRF vrf INTERNET 5 tag 11 RP/0/RSP0/CPU0:Roy_BNG_1#sh route subscriber Fri Jun 27 11:53: UTC A /32 is directly connected, 00:01:43, Bundle- Ether ip7 RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S99_VRF subscriber Fri Jun 27 11:53: UTC A /24 [5/0] via (nexthop in vrf INTERNET), 00:01:53 RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S99_VRF /24 Fri Jun 27 11:54: UTC Routing entry for /24 Known via "subscriber", distance 5, metric 0 Tag 11 Installed Jun 27 11:52: for 00:02:16 Routing Descriptor Blocks , from Nexthop in Vrf: "INTERNET", Table: "default", IPv4 Unicast, Table Id: 0xe Route metric is 0 No advertising protos. 93 of 237

94 7) session and pre?ix in one vrf(vrf S99_VRF), next hop in another VRF.( vrf INTERNET) a857.4e06.4f47 Cleartext- Password := "cisco" Framed- Route = "vrf S99_VRF vrf INTERNET 5 tag 11", Cisco- avpair += primary- dns= ", < it dose not work don t get confused Cisco- avpair += "ipv4- unnumbered=loopback2199", Cisco- avpair += "dhcp- class=class_vpn", Cisco- avpair += vrf- id=s99_vrf" < specify the session vrf RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess al de internal Fri Jun 27 13:26: UTC Interface: Bundle- Ether ip9 Type: IP: DHCP- trigger IPv4 State: Up, Fri Jun 27 13:24: IPv4 Address: , VRF: S99_VRF User Profile received from AAA: Attribute List: 0x500f9878 1: route len= 56 value= vrf S99_VRF vrf INTERNET 5 tag 11 2: primary- dns len= 4 value= : ipv4- unnumbered len= 12 value= Loopback2199 4: dhcp- class len= 9 value= CLASS_VPN 5: ip- vrf len= 7 value= S99_VRF Services: Name : S99_DT_DHCPV4_MIN Service- ID : 0x Type : Template Status : Applied [Event History] Jun 27 13:24: IPv4 Start Jun 27 13:24: SUBDB produce done Jun 27 13:24: IPv4 Up RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S99_VRF sub Fri Jun 27 13:26: UTC A /32 is directly connected, 00:02:35, Bundle- Ether ip9 A /24 [5/0] via (nexthop in vrf INTERNET), 00:02:35 8) session in one speci?ic VRF, pre?ix without explicitly de?ined vrf, next hop in another VRF.( vrf INTERNET) a857.4e06.4f47 Cleartext- Password := "cisco" Framed- Route = " vrf INTERNET 5 tag 11", Cisco- avpair += "primary- dns= ", Cisco- avpair += "ipv4- unnumbered=loopback2199", 94 of 237

95 Cisco- avpair += "dhcp- class=class_vpn", Cisco- avpair += vrf- id=s99_vrf" < specify the session vrf here the preiix VRF will follow the session vrf. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Fri Jun 27 13:33: UTC Interface: Bundle- Ether ip10 IPv4 Address: , VRF: S99_VRF User Profile received from AAA: Attribute List: 0x500f9854 1: route len= 44 value= vrf INTERNET 5 tag 11 2: primary- dns len= 4 value= : ipv4- unnumbered len= 12 value= Loopback2199 4: dhcp- class len= 9 value= CLASS_VPN 5: ip- vrf len= 7 value= S99_VRF RP/0/RSP0/CPU0:Roy_BNG_1#sh route subscriber Fri Jun 27 13:33: UTC % No matching routes found RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S99_VRF subscriber Fri Jun 27 13:34: UTC A /32 is directly connected, 00:00:29, Bundle- Ether ip10 A /24 [5/0] via (nexthop in vrf INTERNET), 00:00:29 RP/0/RSP0/CPU0:Roy_BNG_1# 9)session in one speci?ic VRF, pre?ix without explicitly de?ined vrf, next hop without explicitly de?ined VRF either. a857.4e06.4f47 Cleartext- Password := "cisco" Framed- Route = " tag 11", Cisco- avpair += "primary- dns= ", Cisco- avpair += "ipv4- unnumbered=loopback2199", Cisco- avpair += "dhcp- class=class_vpn", Cisco- avpair += "vrf- id=s99_vrf" here both the prepix vrf and next hop will follow the session vrf (VRF S99_VRF), RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S99_VRF subscriber Fri Jun 27 13:37: UTC A /32 is directly connected, 00:00:19, Bundle- Ether ip11 A /24 [5/0] via , 00:00:19 95 of 237

96 10)session in one speci?ic VRF(S99_VRF), both pre?ix and next hop in default vrf with explicitly de?inition a857.4e06.4f47 Cleartext- Password := "cisco" Framed- Route = "vrf default vrf default tag 11", Cisco- avpair += primary- dns= ", Cisco- avpair += "ipv4- unnumbered=loopback2199", Cisco- avpair += "dhcp- class=class_vpn", Cisco- avpair += "vrf- id=s99_vrf" Use the key word vrf default to put the preiix/nexthop to default routing domain. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess al de internal Fri Jun 27 13:40: UTC Interface: Bundle- Ether ip12 IPv4 Address: , VRF: S99_VRF User Profile received from AAA: Attribute List: 0x500f9884 1: route len= 63 value= vrf default vrf default tag 11 2: primary- dns len= 4 value= : ipv4- unnumbered len= 12 value= Loopback2199 4: dhcp- class len= 9 value= CLASS_VPN 5: ip- vrf len= 7 value= S99_VRF RP/0/RSP0/CPU0:Roy_BNG_1#sh route subscriber Fri Jun 27 13:40: UTC A /24 [5/0] via , 00:00:19 RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S99_VRF subscriber Fri Jun 27 13:41: UTC A /32 is directly connected, 00:00:42, Bundle- Ether ip12 11)session in one speci?ic VRF(S99_VRF), pre?ix has explicitly de?ined default vrf and next hop come without explicitly vrf de?inition a857.4e06.4f47 Cleartext- Password := "cisco" Framed- Route = "vrf default tag 11", Cisco- avpair += "primary- dns= ", Cisco- avpair += "ipv4- unnumbered=loopback2199", Cisco- avpair += "dhcp- class=class_vpn", Cisco- avpair += "vrf- id=s99_vrf" 96 of 237

97 you can see the route is installed in the default routing table, but the next hop follows the session s vrf (S99_VRF). RP/0/RSP0/CPU0:Roy_BNG_1#sh route vrf S99_VRF subscriber Fri Jun 27 13:47: UTC A /32 is directly connected, 00:02:14, Bundle- Ether ip13 RP/0/RSP0/CPU0:Roy_BNG_1#sh route subscriber Fri Jun 27 13:47: UTC A /24 [5/0] via (nexthop in vrf S99_VRF), 00:02:19 NO IPV4 MTU FOR DHCP TRIGGERED SESSION Function To specify the IPv4 MTU for the DHCP triggered IPoE session interface. Attributes Cisco- avpair = ipv4- mtu=1200 (IETF asribute Framed- MTU = 1200 does not work since the lack of disynguishing between v4 and v6) Referred configura.on on BNG n/a Equivalent con?iguration in dynamic- template dynamic-template type ipsub TEST ipv4 mtu 1200 Notes - Applicable for DHCP session - Be careful about the IP fragmenting caused when specify a small MTU. ASR9K BNG does not forward the fragmented packet via a session to a subscriber. - This approach has no impact on the MTU on the CPE. - Use following CLI to check the ipv4 MTU for a session interface. 97 of 237

98 RP/0/RSP0/CPU0:Roy_BNG_1# sh ipv4 interface Bundle- Ether ip3 Tue May 13 15:47: UTC Bundle- Ether ip3 is Up, ipv4 protocol is Up Vrf is default (vrfid 0x ) Interface is unnumbered. Using address of Loopback2099 ( /24) MTU is 1500 (1200 is available to IP) Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is disabled ICMP redirects are never sent ICMP unreachables are always sent ICMP mask replies are never sent Table Id is 0xe NO VRF-ID Function To specify the vrf for a PPPoE/IPoE session. It s session type independent. Attributes Cisco- AVPair = vrf- id=s99_vrf Referred configura.on on BNG vrf S99_VRF address-family ipv4 unicast address-family ipv6 unicast Equivalent con?iguration in dynamic- template dynamic- template type service TEST vrf S99_VRF Notes - Applicable for PPPoE PTA, DHCP triggered IPoE, PKT triggered IPoE, static session. - Never include this attribute in the access- accept for a LAC session. - VRF transferring is not supported in IOS XR based BNG. - This attributes is also used together with addr in a CoA request message as session key. 98 of 237

99 - Don t include it explicitly if the session is in default VRF. - the session vrf- id could be different against the vrf coniigured in the access- interface. NO V4 ACL Function To specify the name of in/out security IPv4 ACL or in/out IPv4 ABF(ACL based forwarding) applied to a session. It s session type independent. Attributes Cisco- avpair = "outacl=s99_acl_out" Cisco- avpair = "inacl=s99_acl_in" or Filter- ID = S99_ACL_out" (no equivalent for inacl) Referred configura.on on BNG ipv4 access-list S99_ACL_out 10 permit ipv4 any any ipv4 access-list S99_ACL_in 10 deny ipv /24 host permit ipv4 any any Equivalent con?iguration in dynamic- template dynamic-template type service TEST ipv4 access-group S99_ACL_in ingress dynamic-template type service TEST ipv4 access-group S99_ACL_out egress Notes - Applicable for all kinds of v4 sessions or DS sessions. - It s not support to download the content of a ACL from radius. 99 of 237

100 - Same method /attribute to enable ABF( ACL Based Forwarding) for session trafiic, which is kinds of PBR in context of IOS XR. in ABF case, the ACL should be deiined with next hop like following example. ipv4 access-list ABF1 10 permit ipv /8 any nexthop1 vrf ivrf ipv nexthop2 vrf ivrf2 ipv NO QOS POLICY-MAP Function To specify the name of in/out QoS policy- map applied to a session or multiple session for SPI. It s session type independent. Attributes Cisco- AVPair = "sub- qos- policy- in=s99_in_policing_256k", Cisco- AVPair = sub- qos- policy- out=s99_out_policing_512k" or Cisco- AVPair = sub- qos- policy- out=s99_out_shaping_512k shared- policy- instance instance_id_1 This is for SPI- share the same QoS policy across mulyple sessions with the same AVPair applied and effect the aggregate traffic. only support egress shaping. Referred configura.on on BNG policy-map S99_IN_POLICING_256K class class-default police rate 256 kbps end-policy-map policy-map S99_OUT_POLICING_512K class class-default police rate 512 kbps 100 of 237

101 end-policy-map policy-map S99_OUT_SHAPING_512K class class-default shape average 512 kbps Equivalent con?iguration in dynamic- template dynamic-template type service TEST service-policy input S99_IN_POLICING_256K dynamic-template type service TEST service-policy output S99_OUT_POLICING_512K or dynamic-template type service TEST service-policy output S99_OUT_SHAPING_512K shared-policy-instance instance_id_1. Notes - Applicable for all kinds of sessions, it s pure data plane feature - no separate AVPare for V4/V6 respectively, since we use single Policy- map to handle V4 and V6 trafiic. - BNG ingress QoS could not be queueing based. - SPI only works for multiple sessions on same access- interface. - use show policy- map applied interface to check the qos applied, and use show policy- map interface to check the counter for the policer or shaper. NO PARAMETER QOS (P-QOS) Function To create/modify a QoS policy- map to a session with it s parameter speciiied from RADIUS server. In this way you do not need to deiine the Policy- map in the BNG locally. Please not the different between this AVpair and sub- qos- policy- in / sub- qos- policy- out. It s session type independent. 101 of 237

102 Attributes Addi$on/( Modifica$on( Removal( sub: indicates AVPair targets MQC policy on a subscriber session <class- list>: identiiies class to be added/removed or modiiied in the MQC policy. Multiple classes may be speciiied to modify classiiication in a nested (child) MQC policy <qos- action- list>: policy actions to be added/overwritten in targeted class in MQC policy Supported QoS features: - Shaping rate and percentage - Policing rate and percentage - Marking (CoS, DSCP, IP Prec) - Queueing (minbw, BW remaining, priority, WRED, queue- limit) Here list the actions format could be used in P- QoS AVPair Shaping shape(<rate-in-kbps>) shape-rpct(<rate-in-pct>) Policing police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-inpct>,<exceed-burst-in-us>, <conform-action>,<exceed-action>, <violate-action>) police(<conform-rate-in-kbps>,<conform-burst-in-kbytes>,<exceed-rate-inkbps>,<exceed-burst-in-kbytes>, <conform-action>,<exceed-action>, <violateaction>) Marking set-cos(<cos-val>) set-ip-dscp(<dscp-val>) in( out( in( out( set-ip-prec(<precedence>) AVPair: ip:qos$policy$in=add$class(sub,(<class%list>),<qos%ac*ons%list>)( AVPair: ip:qos$policy$out=add$class(sub,((<class%list>),<qos%ac*ons%list>)( AVPair: ip:qos$policy$in=remove$class(sub,(<class%list>))( AVPair: ip:qos$policy$out=remove$class(sub,((<class%list>))( 102 of 237

103 Queuing pri-level(<priority-level>) bw-rpct(<pct>) bw-rratio(<ratio>) bw-abs(<bw-in-kbps>) bw-pct(<bw-in-pct>) queue-limit(<qlimit-in-packets>) queue-limit-us(<qlimit-in-us>) random-detect-dscp(<dscp>) random-detect-prec(<precedence>) Following is a example of egress H- QoS created using P- QoS. user- pro7ile in radius server cisco- avpair += ip:qos- policy- out=add- class(sub,(class- default),shape(106496)), cisco- avpair += ip:qos- policy- out=add- class(sub,(class- default,voip),pri- level(1),police(13600,9216,transmit,drop),queue- limit(8),set- cos(5))", cisco- avpair += "ip:qos- policy- out=add- class(sub,(class- default,video),bw- pct(44),queue- limit(16),set- cos(1))", cisco- avpair += ip:qos- policy- out=add- class(sub,(class- default,gaming),bw- pct(28),queue- limit(16),set- cos(1)), cisco- avpair += "ip:qos- policy- out=add- class(sub,(class- default,hd),bw- pct(28),queue- limit(32),set- cos(0))" Display of show policy- map applied to Bundle- Ether4.1.ip9 which shows the session policy- map created by the above AVPair: policy- map sub_327effffffc75d < the name of the policy- map is created by system class class- default service- policy sub_327effffffc75d_child1 shape average kbps Child policy- map(s) of policy- map sub_327effffffc75d: 103 of 237

104 policy- map sub_327effffffc75d_child1 class voip priority level 1 police rate kbps burst 9216 kbytes conform- action transmit exceed- action drop queue- limit 8 packets set cos 5 class video bandwidth percent 44 queue- limit 16 packets set cos 1 class gaming bandwidth percent 28 queue- limit 16 packets set cos 1 class hd bandwidth percent 28 queue- limit 32 packets set cos 0 class class- default end- policy- map Referred configura.on on BNG You need to coniigure the class- map referred by the P- QoS attributes on the box Equivalent con.iguration in dynamic- template n/a Notes - downloaded in an access- accept or CoA request(account- update) - P- QoS approaching does not support SPI. - no separate AVPare for V4/V6 respectively, since we use single Policy- map to handle V4 and V6 traffic - BNG ingress QoS could not be queueing based. - class- map must be predefined on BNG box. 104 of 237

105 - use show policy- map applied interface to check the qos applied, and use show policy- map interface to check the counter for the policer or shaper. NO SESSION ACCOUNTING LIST Function To turn on the session accounting with AAA method list specified. It s session type independent. Attributes Cisco- avpair = "accounyng- list=s99_aaa_list" Referred configura.on on BNG aaa accounting subscriber S99_AAA_list broadcast group S99_GRP1 group S99_GRP2 aaa group server radius S99_GRP1 server auth-port 1812 acct-port 1813 source-interface Loopback99 aaa group server radius S99_GRP2 server auth-port 1812 acct-port 1813 source-interface Loopback99 radius-server host auth-port 1812 acct-port 1813 key F41584B56 radius-server host auth-port 1812 acct-port 1813 key 7 110A D5A5E57 Equivalent con.iguration in dynamic- template dynamic-template type service TEST accounting aaa list S99_AAA_list type session 105 of 237

106 Notes - Applicable for all kinds of sessions. - no separate AVPare for V4/V6 respectively, since we use single accounting message to report for V4 and V6 traffic belong to one session. NO SESSION ACCOUNTING INTERIM INTERVAL Function To turn on the interim accounting with update interval specified. It s session type independent. Attributes Acct- Interim- Interval = 600 or Cisco- avpair = acct- interval=600 note: in second Referred configura7on on BNG n/a Equivalent con.iguration in dynamic- template dynamic-template type service TEST accounting aaa list S99_AAA_list type session periodic-interval 10 note: in munite 106 of 237

107 Notes - Applicable for all kinds of sessions. - no separate AVPare for V4/V6 respectively, since we use single accounting message to report for V4 and V6 traffic belong to one session. - normally go together with Cisco- avpair += accounting- list=s99_aaa_list" NO SESSION ACCOUNTING DUAL STACK DELAY Function To turn on the Dual stack session accounting delay feature with delayed time specified. It s session type independent. Attributes Cisco- avpair = "dual- stack- delay=10" note: in second, max is 30 seconds Referred configura.on on BNG n/a Equivalent con.iguration in dynamic- template dynamic-template type service TEST accounting aaa list S99_AAA_list type session dual-stack-delay 10 note: in second, max is 30 seconds Notes - Applicable for all kinds of sessions. - used for dual stack sessions. Meaningless for single stack sessions. 107 of 237

108 NO SERVICE ACCOUNTING LIST Function To turn on the service accounting with AAA method list specified. It s session type independent. Attributes Cisco- avpair = service- acct- list=s99_aaa_list" Referred configura.on on BNG aaa accounting service S99_AAA_list broadcast group S99_GRP1 group S99_GRP2 aaa group server radius S99_GRP1 server auth-port 1812 acct-port 1813 source-interface Loopback99 aaa group server radius S99_GRP2 server auth-port 1812 acct-port 1813 source-interface Loopback99 radius-server host auth-port 1812 acct-port 1813 key F41584B56 radius-server host auth-port 1812 acct-port 1813 key 7 110A D5A5E57 Equivalent con.iguration in dynamic- template dynamic-template type service TEST accounting aaa list S99_AAA_list type service Notes - service level accounting is not the same to session level accounting. - Applicable for all kinds of sessions. 108 of 237

109 - no separate AVPare for V4/V6 respectively, since we use single accounting message to report for V4 and V6 traffic belong to one session. - see more detail information in later chapter for service- accounting NO SESSION-TIMEOUT Function To absolute session timeout for a PPPoE session.it s session type independent. Attributes Session- Timeout = 3600 note: in soconds Referred configura.on on BNG n/a Equivalent con.iguration in dynamic- template dynamic-template type ppp TEST ppp timeout absolute 60 note: RP/0/RSP0/CPU0:Roy_BNG_1(conFig)#dynamic- template type ppp TEST ppp timeout absolute? < > Minutes RP/0/RSP0/CPU0:Roy_BNG_1(conFig)#dynamic- template type ppp TEST ppp timeout absolute 60? <0-59> Seconds <cr> 109 of 237

110 Notes - Applicable for PPPoE only - when session timeout timer Fires, the session will be torn down. NO IDLE TIMEOUT THRESHOLD AND DIRECTION Function To specify idle- timeout timer and the threshold and direction of idle timeout for a PPPoE/ IPoE session Attributes idle- Ymeout=300 (in seconds) Referred configura.on on BNG n/a Cisco- avpair = idlethreshold=2 ( in minutes, opyonal) Cisco- avpair = idle- Ymeout- direcyon=both ( or inbound/outbound, opyonal) Equivalent con.iguration in dynamic- template dynamic-template type PPP TEST timeout idle 300 threshold 2 traffic both or dynamic-template type ipsub TEST timeout idle 300 threshold 2 traffic both Notes - Applicable for PPPoE/IPoE - when idle timer Fires, the session will be torn down. - default direction is inbound if no specification. - Duration of threshold in minute(s) per packet - should be less than idle duration 110 of 237

111 NO LAWFUL INTERCEPT Function To enable LI for a session via radius download or CoA pushing. It s session type independent. Attributes RADIUS based LI can be activated via user profile (Access- Accept) or via CoA request. Below First 4 attributes are required for LI activation/deactivation. Please note that, BNG do not process LI attributes without enabling aaa intercept. These attributes can either send via normal cisco- avpair or cisco- enc (encrypted VSA vendor- type 36) md- port This represents UDP port number of the mediation device that receives the intercepted packets. Ex: Cisco- AVpair = md- port=1000" intercept- id This is eight digits Unique identifier for LI operation, each request should be tagged with unique intercept- id otherwise the request will be rejected. Ex: Cisco- AVpair = intercept- id= " md- ip- addr This attribute specifies ip address of mediation device. Ex: Cisco- AVpair = md- ip- addr= " li- action Action can be 0 or 1 or > Remove the intercept from subscriber 1 - > Activate the intercept to the subscriber 2 - > Dummy action to check whether LI is active on session. md- dscp This helps setting DSCP values for tapped packets. And it is supported only on IOS XR. Ex: Cisco- Avpair= md- dscp=3 111 of 237

112 Referred configura.on on BNG aaa intercept Equivalent con.iguration in dynamic- template n/a Notes A veripied LI conpig ######BNG con.ig##### aaa intercept ######user pro.ile in radius server ####### test1@gsta Auth- Type := Local, User- Password == "cisco" Cisco- AVPair = "sub- qos- policy- out=hqos1", Cisco- AVPair += "intercept- id= ", Cisco- AVPair += "li- acyon=1", Cisco- AVPair += "md- ip- addr= ", Cisco- AVPair += "md- port=1000", Cisco- AVPair += md- dscp=23" #radius server debug#### auth: type Local auth: user supplied User- Password matches local User- Password Login OK: [test1@gsta/cisco] (from client private- network- 2 port 0) Processing the post- auth section of radiusd.conf modcall: entering group post- auth for request 0 radius_xlat: '../var/log/radius/radacct/ /reply- detail log' rlm_detail:../var/log/radius/radacct/%{client- IP- Address}/reply- detail- %Y%m%d.l og expands to../var/log/radius/radacct/ /reply- detail log modcall[post- auth]: module "reply_log" returns ok for request 0 modcall: leaving group post- auth (returns ok) for request 0 Sending Access- Accept of id 111 to port Cisco- AVPair = "sub- qos- policy- out=hqos1" Cisco- AVPair += "intercept- id= " Cisco- AVPair += "li- action=1" Cisco- AVPair += "md- ip- addr= " Cisco- AVPair += "md- port=1000" Cisco- AVPair += "md- dscp=23" NO V4 URPF 112 of 237

113 Function To enable ipv4 strict mode urpf checking for subscriber packet. It s session type independent. Attributes Cisco- avpair = strict- rpf=1 Referred configura.on on BNG n/a Equivalent con.iguration in dynamic- template dynamic-template type service TEST ipv4 verify unicast source reachable-via rx Notes - Applicable for PPPoE/IPoE - only strict mode supported, and no matter the value is 0 or 1, this AVPair will enable the strict mode urpf on the session interface. - by default, no urpf enabled on the session interface. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Wed Jul 9 16:20: UTC Interface: Bundle- Ether ip6 Circuit ID: Unknown Remote ID: Unknown Type: IP: DHCP- trigger IPv4 State: Up, Wed Jul 9 16:20: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {IPSUB} IPv4 Up requestors: 0x {IPSUB} Mac Address: 3c07.545f.c041 Account- Session Id: Nas- Port: User name: 3c07.545f.c041 Outer VLAN ID: 201 Inner VLAN ID: 99 Subscriber Label: 0x Created: Wed Jul 9 16:20: State: Activated Authentication: unauthenticated Authorization: authorized 113 of 237

114 Ifhandle: 0x Session History ID: 14 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Wed Jul 9 16:20: ] class type control subscriber S99_DHCPv4 do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_DHCPV4_MIN [cerr: No error][aaa: Success] 20 authorize aaa list S99_AAA_list [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA: Attribute List: 0x500f98e8 1: ipv4- unnumbered len= 12 value= Loopback2099 2: primary- dns len= 4 value= : secondary- dns len= 4 value= : sub- qos- policy- out len= 9 value= SET_DSCP0 5: ipv4- mtu len= 4 value= 1200(4b0) 6: netmask len= 4 value= : strict- rpf len= 4 value= 0(0) Services: Name : S99_DT_DHCPV4_MIN Service- ID : 0x Type : Template Status : Applied Name : HTTPRDRT_TPL_1 Service- ID : 0x400002c Type : Multi Template Status : Applied [Event History] Jul 9 16:20: IPv4 Start Jul 9 16:20: SUBDB produce done Jul 9 16:20: IPv4 Up RP/0/RSP0/CPU0:Roy_BNG_1# sh ipv4 int Bundle- Ether ip6 Wed Jul 9 16:21: UTC Bundle- Ether ip6 is Up, ipv4 protocol is Up Vrf is default (vrfid 0x ) Interface is unnumbered. Using address of Loopback2099 ( /24) MTU is 1500 (1200 is available to IP) Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is disabled ICMP redirects are never sent ICMP unreachables are always sent ICMP mask replies are never sent Table Id is 0xe IP unicast RPF check is enabled RPF mode strict 114 of 237

115 NO IPV4-ICMP-UNREACHABLE Function To enable/disable ipv4 unreachable for subscriber session. It s session type independent. Attributes Cisco- avpair = ipv4- icmp- unreachable=1 Referred configura.on on BNG n/a Equivalent con.iguration in dynamic- template dynamic-template type service TEST ipv4 unreachables disable Notes - Applicable for PPPoE/IPoE. - By default, ipv4 icmp unreachables is always sent on the session interface. - No matter the value is 0 or 1, downloading this avpair cause the ipv4 icmp unreachables disabled on the session interface. Example user- pro.ile in radius server 3c07.545f.c041 Cleartext- Password := "cisco" Cisco- avpair = "ipv4- unnumbered=loopback2099", Cisco- avpair += "primary- dns= ", Cisco- avpair += "secondary- dns= ", Cisco- AVPair += "sub- qos- policy- out=set_dscp0", Cisco- avpair += "ipv4- mtu=1200", Cisco- avpair += "sa=httprdrt_tpl_1", Framed- IP- Netmask += , Cisco- avpair += "strict- rpf=0", Cisco- avpair += "ipv4- icmp- unreachable=1" RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess al de internal Wed Jul 9 16:42: UTC Interface: Bundle- Ether ip7 115 of 237

116 Circuit ID: Unknown Remote ID: Unknown Type: IP: DHCP- trigger IPv4 State: Up, Wed Jul 9 16:42: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {IPSUB} IPv4 Up requestors: 0x {IPSUB} Mac Address: 3c07.545f.c041 Account- Session Id: f Nas- Port: User name: 3c07.545f.c041 Outer VLAN ID: 201 Inner VLAN ID: 99 Subscriber Label: 0x d Created: Wed Jul 9 16:42: State: Activated Authentication: unauthenticated Authorization: authorized Ifhandle: 0x00001a60 Session History ID: 12 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Wed Jul 9 16:42: ] class type control subscriber S99_DHCPv4 do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_DHCPV4_MIN [cerr: No error][aaa: Success] 20 authorize aaa list S99_AAA_list [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA: Attribute List: 0x500f990c 1: ipv4- unnumbered len= 12 value= Loopback2099 2: primary- dns len= 4 value= : secondary- dns len= 4 value= : sub- qos- policy- out len= 9 value= SET_DSCP0 5: ipv4- mtu len= 4 value= 1200(4b0) 6: netmask len= 4 value= : strict- rpf len= 4 value= 0(0) 8: ipv4- icmp- unreachable len= 4 value= 1(1) Services: Name : S99_DT_DHCPV4_MIN Service- ID : 0x Type : Template Status : Applied Name : HTTPRDRT_TPL_1 Service- ID : 0x400002c Type : Multi Template Status : Applied [Event History] Jul 9 16:42: IPv4 Start Jul 9 16:42: SUBDB produce done Jul 9 16:42: IPv4 Up RP/0/RSP0/CPU0:Roy_BNG_1# sh ipv4 int Bundle- Ether ip7 Wed Jul 9 16:43: UTC Bundle- Ether ip7 is Up, ipv4 protocol is Up Vrf is default (vrfid 0x ) Interface is unnumbered. Using address of Loopback2099 ( /24) MTU is 1500 (1200 is available to IP) Helper address is not set 116 of 237

117 Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is disabled ICMP redirects are never sent ICMP unreachables are never sent ICMP mask replies are never sent Table Id is 0xe IP unicast RPF check is enabled RPF mode strict NO DOUBLE DIP Function Double dip means when a session comes in,bng does the First authorization/ authentication to wholesaler s AAA. the wholesaler s radius server includes this AVPair in the access- accept to indicate the BNG to put the session into a retailer s VRF and do second authorization/authentication to the retailer s AAA. It s session type independent. Attributes Cisco- avpair = redirect- vrf=retailer1 Referred configura.on on BNG there is a example config and it s debug output in the cisco internal link of iwe.cisco.com/web/view- post/post/- /posts?postid= Equivalent con.iguration in dynamic- template n/a Notes - Applicable for PPPoE/IPoE - see more detail in post/post/- /posts? postid= of 237

118 NO ENABLE HTTP REDIRECT Function To use a radius AVPair to enable a HTTP redirect policy to a session. It s session type independent. Attributes Cisco- avpair = sub- pbr- policy- in=httpr Referred configura.on on BNG you need to configure a policy- map type pbr with same name locally on the box. policy-map type pbr HTTPR class type traffic Portal transmit class type traffic HTTPRDRT http-redirect class type traffic class-default drop class-map type traffic match-any Portal match access-group ipv4 Portal end-class-map class-map type traffic match-any HTTPRDRT match access-group ipv4 HTTPRDRT_ACL end-class-map ipv4 access-list Portal 10 permit icmp any any 20 permit ipv4 any host permit ipv4 any host ipv4 access-list HTTPRDRT_ACL 10 permit tcp any any eq www 118 of 237

119 Equivalent con.iguration in dynamic- template dynamic-template type service HTTPRDRT_TPL service-policy type pbr HTTPR policy-map type pbr HTTPR class type traffic Portal transmit class type traffic HTTPRDRT http-redirect class type traffic class-default drop class-map type traffic match-any Portal match access-group ipv4 Portal end-class-map class-map type traffic match-any HTTPRDRT match access-group ipv4 HTTPRDRT_ACL end-class-map ipv4 access-list Portal 10 permit icmp any any 20 permit ipv4 any host permit ipv4 any host ipv4 access-list HTTPRDRT_ACL 10 permit tcp any any eq www Notes - Applicable for PPPoE/IPoE - use sh policy- map type pbr to check the use of pbr policy. NO DHCPV4 SESSION LIMIT Function To Specify the max session could be brought up for subscriber with a particular circurt- id. Attributes Cisco- avpair = session- limit=1 119 of 237

120 Referred configura.on on BNG example of DHCPv4 server, Proxy is similar. dhcp ipv4 profile dhcp-server server class dhcp-hgw-vobb lease pool pool-hgw-vobb dns-server limit lease per-circuit-id 2 < this number could be overrode by the AVPair relay information authenticate inserted interface Bundle-Ether9.1 server information option format-type circuit-id format-string "KAOLAB4301 bubdle-ether %s vlan-id %s" physical-port outer-vlan-id Equivalent con.iguration in dynamic- template no dynamic- template equivalence, but you can depine the session limit per circuit- id in the dhcp ipv4 conpig block. dhcp ipv4 profile PROXY proxy limit lease per-circuit-id 1 Notes - Applicable for DHCP triggered IPoEv4 only - work for both dhcp server mode and dhcp proxy mode. - the circuit- id could be inserted by access- node or inserted by BNG itself. NO DHCPV4 CLASS Function To Specify the DHCP class whose configuration would be used for dhcp address assignment to a session. In this way, the radius server is involved to influence the behaviour of DHCP server. 120 of 237

121 Attributes Cisco- avpair = dhcp- class=dhcp- hgw- vobb Referred configura.on on BNG example of DHCPv4 server, Proxy is similar. dhcp ipv4 profile dhcp-server server class dhcp-hgw-vobb lease pool pool-hgw-vobb dns-server class OTHER lease pool OTHER dns-server interface Bundle-Ether9.1 server information option format-type circuit-id format-string "KAOLAB4301 bubdle-ether %s vlan-id %s" physical-port outer-vlan-id Equivalent con.iguration in dynamic- template No dynamic- template equivalence, but you can depine DHCP class with matching conditions using vrf or other DHCP option. dhcp ipv4 profile dhcp-server server class dhcp-hgw-vobb match option? 124 Match option 124 vendor-identifying vendor class 125 Match option 125 vendor-indentifying vendor-specific info 60 Match option 60 vendor class id 77 Match option 77 user class circuitid Match circuit id of option 82 Relay-agent specific class remoteid Match remote id of option 82 Relay-agent specific class Notes - Applicable for DHCP triggered IPoEv4 only. - To use this radius attribute to influence the selection of DHCP class on ASR9K, ASR9K must work on dhcp server mode. but, locally definition of the matching category for the class is supported in both proxy mode and server mode. 121 of 237

122 An example of DHCP- class Here a single access- interface is used to terminate two type of IPoE session, ASR9K works as a DHCPv4 server under the influence of radius ( so called DHCP server radius proxy mode). For some sessions( saying session from PC), they need to be put into the default vrf, and get ip address from /24 subnet. for other sessions, (saying session from STB), they need to be put into a different vrf ( S99_VRF in this case), and get ip address from /24 subnet. In the dhcp ipv4 config block, besides the regular config ( pool, subnet- mask, default- router etc), there is another sub- block of config under a class named CLASS_VPN,a different pool and lease time are defined. pool vrf S99_VRF ipv4 S99_POOL_DHCPV4_VRF network /24 default-router exclude pool vrf default ipv4 S99_POOL_DHCPV4 network /24 default-router exclude dhcp ipv4 profile S99_SERVER_PROFILE server lease class CLASS_VPN lease pool S99_POOL_DHCPV4_VRF default-router pool S99_POOL_DHCPV4 subnet-mask default-router interface Bundle-Ether server profile S99_SERVER_PROFILE interface Bundle-Ether description student-99 DHCPv4 session service-policy output SET_DSCP0 ipv4 point-to-point ipv4 unnumbered Loopback2099 service-policy type control subscriber S99_CP_DHCPV4_BASIC ipsubscriber ipv4 l2-connected initiator dhcp encapsulation ambiguous dot1q 201 second-dot1q of 237

123 policy-map type control subscriber S99_CP_DHCPV4_BASIC event session-start match-first class type control subscriber S99_DHCPv4 do-until-failure 10 activate dynamic-template S99_DT_DHCPV4_MIN 20 authorize aaa list S99_AAA_list identifier source-address-mac password cisco end-policy-map dynamic-template type ipsubscriber S99_DT_DHCPV4_MIN ipv4 unnumbered Loopback2099 interface Loopback2099 ipv4 address interface Loopback2199 vrf S99_VRF ipv4 address PC s session in default vrf a857.4e06.4f47 Cleartext- Password := "cisco" the user profile could be empty, nothing needed to be downloaded to bring up a session in default vrf since the dynamic- template takes care of the needed config. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all detail internal Fri Jun 27 14:44: UTC Interface: Bundle- Ether ip18 Circuit ID: Unknown Remote ID: Unknown Type: IP: DHCP- trigger IPv4 State: Up, Fri Jun 27 14:44: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {IPSUB} IPv4 Up requestors: 0x {IPSUB} Mac Address: a857.4e06.4f47 Account- Session Id: e Nas- Port: User name: a857.4e06.4f47 Outer VLAN ID: 201 Inner VLAN ID: 99 Subscriber Label: 0x d Created: Fri Jun 27 14:44: State: Activated Authentication: unauthenticated Authorization: authorized Ifhandle: 0x Session History ID: 3 Access- interface: Bundle- Ether Policy Executed: 123 of 237

124 event Session- Start match- first [at Fri Jun 27 14:44: ] class type control subscriber S99_DHCPv4 do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_DHCPV4_MIN [cerr: No error][aaa: Success] 20 authorize aaa list S99_AAA_list [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA: None Services: Name : S99_DT_DHCPV4_MIN Service- ID : 0x Type : Template Status : Applied [Event History] Jun 27 14:44: IPv4 Start Jun 27 14:44: SUBDB produce done Jun 27 14:44: IPv4 Up RP/0/RSP0/CPU0:Roy_BNG_1#sh dhcp ipv4 server binding Fri Jun 27 14:44: UTC Lease MAC Address IP Address State Remaining Interface VRF Sublabel a857.4e06.4f BOUND 591 BE default 0x5d STB session a857.4e06.4f47 Cleartext- Password := "cisco" Cisco- avpair += "ipv4- unnumbered=loopback2199", Cisco- avpair += "dhcp- class=class_vpn", Cisco- avpair += vrf- id=s99_vrf" Use dhcp- class=class_vpn to indicate the 9K follow the dhcp config under that named class. The AVPair vrf- id and ipv4- unnumbered are needed as well, aligning with the pool s vrf, to override the config in the dyunamic- template. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all detail internal Fri Jun 27 14:40: UTC Interface: Bundle- Ether ip16 Circuit ID: Unknown Remote ID: Unknown Type: IP: DHCP- trigger IPv4 State: Up, Fri Jun 27 14:39: IPv4 Address: , VRF: S99_VRF IPv4 Up helpers: 0x {IPSUB} IPv4 Up requestors: 0x {IPSUB} Mac Address: a857.4e06.4f47 Account- Session Id: c Nas- Port: of 237

125 User name: a857.4e06.4f47 Outer VLAN ID: 201 Inner VLAN ID: 99 Subscriber Label: 0x b Created: Fri Jun 27 14:39: State: Activated Authentication: unauthenticated Authorization: authorized Ifhandle: 0x000018e0 Session History ID: 9 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Fri Jun 27 14:39: ] class type control subscriber S99_DHCPv4 do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_DHCPV4_MIN [cerr: No error][aaa: Success] 20 authorize aaa list S99_AAA_list [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA: Attribute List: 0x500f9780 1: ipv4- unnumbered len= 12 value= Loopback2199 2: dhcp- class len= 9 value= CLASS_VPN 3: ip- vrf len= 7 value= S99_VRF Services: Name : S99_DT_DHCPV4_MIN Service- ID : 0x Type : Template Status : Applied [Event History] Jun 27 14:39: IPv4 Start Jun 27 14:39: SUBDB produce done Jun 27 14:39: IPv4 Up RP/0/RSP0/CPU0:Roy_BNG_1#sh dhcp ipv4 server binding Fri Jun 27 14:40: UTC Lease MAC Address IP Address State Remaining Interface VRF Sublabel a857.4e06.4f BOUND 1149 BE S99_VRF 0x5b NO CLASS (IETF ATTRIBUTE 25) Function To include an attributes downloaded in an access- accept on authentication into accounting- request without modification. This string is defined in the user- profile in radius server, so it could be per subscriber basis. It s session type independent. 125 of 237

126 Attributes Class = CLASS_NAME Referred configura.on on BNG n/a Equivalent con.iguration in dynamic- template n/a Notes - Applicable for all kinds of session. - the attribute CLASS will be included into accounting- start, accounting- interim and accounting- stop. - see debug information from radius server. Sending Access- Accept of id 27 to port Cisco- AVPair = "ipv4- unnumbered=loopback9299" Cisco- AVPair += "accounting- list=s99_aaa_list" Acct- Interim- Interval += 600 Framed- Route += " " Cisco- AVPair += "sub- qos- policy- in=s99_in_policing_256k" Cisco- AVPair += "sub- qos- policy- out=s99_out_policing_512k" Cisco- AVPair += "sub- pbr- policy- in=httprdrt_pbr_1" Cisco- AVPair += "vrf- id=free_product" Class += 0x434c f4e414d45 Cisco- AVPair += "echo- string- 1=BLUE" Cisco- AVPair += "echo- string- 2=RED" Cisco- AVPair += "echo- string- 3=GREEN" Cisco- AVPair += "echo- string- 4=YELLOW" rad_recv: Accounting- Request packet from host port 52217, id=31, l ength=387 Acct- Interim- Interval = 600 Acct- Status- Type = Start Event- Timestamp = NAS- Port- Type = 44 Framed- IP- Address = Cisco- AVPair = "client- mac- address=3c07.545f.c041" Acct- Session- Id = " " NAS- Port = of 237

127 NAS- Port- Id = "0/0/901/99.901" Cisco- NAS- Port = "0/0/901/99.901" Called- Station- Id = "99" Calling- Station- Id = "3c07.545f.c041" User- Name = " " Cisco- AVPair = "vrf- id=free_product" Cisco- AVPair = "echo- string- 1=BLUE" Cisco- AVPair = "echo- string- 2=RED" Cisco- AVPair = "echo- string- 3=GREEN" Cisco- AVPair = "echo- string- 4=YELLOW" Class = 0x434c f4e414d45 Service- Type = Outbound- User NO ECHO-STRING (CISCO AVPAIR) Function To include multiple(up to 4) attributes downloaded in an access- accept on authentication into accounting- request whiteout modification. This string is defined in the user- profile in radius server, so it could be per subscriber basis. In some case only one attribute is not enough for this purpose, so we give you more AVPair to achieve the same goal. please be noted, ASR9K BNG do not support AVPair duplication, that s the reason why you see here we use 4 different AVPair with different value portion. Attributes Cisco- AVPair += "echo- string- 1=BLUE" Cisco- AVPair += "echo- string- 2=RED" Cisco- AVPair += "echo- string- 3=GREEN" Cisco- AVPair += "echo- string- 4=YELLOW" Referred configura.on on BNG n/a Equivalent con.iguration in dynamic- template 127 of 237

128 n/a Notes - Applicable for all kinds of session - the attribute CLASS will be included into accounting- start, accounting- interim and accounting- stop. - see debug information from radius server. Sending Access- Accept of id 27 to port Cisco- AVPair = "ipv4- unnumbered=loopback9299" Cisco- AVPair += "accounting- list=s99_aaa_list" Acct- Interim- Interval += 600 Framed- Route += " " Cisco- AVPair += "sub- qos- policy- in=s99_in_policing_256k" Cisco- AVPair += "sub- qos- policy- out=s99_out_policing_512k" Cisco- AVPair += "sub- pbr- policy- in=httprdrt_pbr_1" Cisco- AVPair += "vrf- id=free_product" Class += 0x434c f4e414d45 Cisco- AVPair += "echo- string- 1=BLUE" Cisco- AVPair += "echo- string- 2=RED" Cisco- AVPair += "echo- string- 3=GREEN" Cisco- AVPair += "echo- string- 4=YELLOW" rad_recv: Accounting- Request packet from host port 52217, id=31, l ength=387 Acct- Interim- Interval = 600 Acct- Status- Type = Start Event- Timestamp = NAS- Port- Type = 44 Framed- IP- Address = Cisco- AVPair = "client- mac- address=3c07.545f.c041" Acct- Session- Id = " " NAS- Port = NAS- Port- Id = "0/0/901/99.901" Cisco- NAS- Port = "0/0/901/99.901" Called- Station- Id = "99" Calling- Station- Id = "3c07.545f.c041" User- Name = " " Cisco- AVPair = "vrf- id=free_product" Cisco- AVPair = "echo- string- 1=BLUE" Cisco- AVPair = "echo- string- 2=RED" Cisco- AVPair = "echo- string- 3=GREEN" Cisco- AVPair = "echo- string- 4=YELLOW" Class = 0x434c f4e414d45 Service- Type = Outbound- User NO V6 ENABLE Function To enable IPv6 address family for a session 128 of 237

129 Attributes Cisco- AVPair = ipv6- enable=1 Referred configura.on on BNG n/a Equivalent con.iguration in dynamic- template dynamic-template type ppp TEST ipv6 enable or dynamic-template type ipsubscriber TEST ipv6 enable Notes - Applicable for PPPoE PTA, DHCP triggered IPoE, PKT triggered IPoE, static session. Never include this attribute in the access- accept for a LAC session. DS Client PPPoE DS detailed call flow SLAAC based address assignment AAA DHCP PPPoE exchange (PADI,PADO,PADR,PADS) PPP LCP PPP IPCP (IPv4 parameters negotiation, addrs, WINS, DNS, ) PPP IPv6CP Access Request Access Accept (IPv6 interface-id negotiation) Accounting Start IPCP Open IPv4 Data traffic can flow through session IPv6 ND RA Framed-Ipv6-Prefix Framed-Interface- Id(optional) Framed-Ipv6-Prefix IPv4 and IPv6 Data traffic can flow through session Accounting Interim (Periodic) 129 of 237

130 - This is the attribute to enable IPv6 address family for a session, it s the counterpart of Cisco- AVPair ipv4- unnumbered, but v6 session do not need to unnumbered to any interface. NO V6 PREFIX FOR PPPOE PTA SESSION USING SLAAC Function To specify the IPv6 prefix assigned to a PPPoE client using SLAAC. Attributes Framed- Ipv6- Prefix = FEC0:0000:0000:0000:0000:0000:0000:0000/64 Referred configura.on on BNG n/a Equivalent con.iguration in dynamic- template n/a Notes - The net mask must be present, and currently only supported one is /64. - Applicable for PPPoEv6 or DS PTA session using SLAAC(or called ND) for V6 addressing. - A subscriber route will be created in the v6 routing table for this prefix automatically. - Never include this attribute in the access- accept for a LAC session. - For SLAAC, apart from the V6 prefix, the client need the ipv6 interface- id as well to build the complete V6 address. The IPv6 interface- id is negotiated between the BNG and the client over IPv6CP protocol during the PPP stage, the adopted interface- id by default is based on the client s MAC address information. Optionally, it s allow to specify the interface- id in radius user- profile or defined it in dynamic- template. 130 of 237

131 IPv6 Prefix: FEC0:0000:0000:0000:0000:0000:0000:0000/64 IPv6 Interface ID: 0260:08FF:FEFF:FFFF IPv6 Address: FEC0:0000:0000:0000:0260:08FF:FEFF:FFFF - framed- ipv6- prefix could be specified from radius, and BNG will negotiate it to Client using ICMPv6 protocol RA message - framed- interface- id could be specified from radius optionally, and negotiate to Client using PPP IPv6CP protocol, or let the client to determine it s interface- id by itself. Example of V6 SLAAC using attribute framed- ipv6- pre.ix BNG con.ig interface Bundle- Ether service- policy type control subscriber S99_CP_PTA_NO_LOCAL_FEATURE pppoe enable encapsulation dot1q 301 second- dot1q 99 policy- map type control subscriber S99_CP_PTA_NO_LOCAL_FEATURE event session- start match- first class type control subscriber S99_PTA do- until- failure 10 activate dynamic- template S99_DT_LCP event session- activate match- first class type control subscriber S99_PTA do- until- failure 10 authenticate aaa list S99_AAA_list end- policy- map dynamic- template type ppp S99_DT_LCP ppp authentication pap chap Radius server user pro.ile V6PPP1@S99 Cleartext- Password := "cisco" Cisco- avpair = "ipv6- enable=1", Framed- Ipv6- Prefix += FEC0:0000:0000:0000:0000:0000:0000:0000/64 Radius server debug for authentication Mon Jun 30 11:38: : Info: Ready to process requests. rad_recv: Access- Request packet from host port 28597, id=53, lengt h=245 Cisco- AVPair = "client- mac- address=3c07.545f.c041" Acct- Session- Id = " c" NAS- Port = NAS- Port- Id = "0/0/301/99.301" 131 of 237

132 Cisco- NAS- Port = "0/0/301/99.301" User- Name = "V6PPP1@S99" Service- Type = Framed- User User- Password = "cisco" X- Ascend- Connect- Progress = LCP- Opened Cisco- AVPair = "connect- progress=lcp Open" Framed- Protocol = PPP NAS- Port- Type = 37 Called- Station- Id = "99" Calling- Station- Id = "3c07.545f.c041" Event- Timestamp = NAS- Identifier = "Roy_BNG_1" NAS- IP- Address = Mon Jun 30 13:37: : Info: # Executing section authorize from file../etc/ raddb/sites- enabled/default Sending Access- Accept of id 53 to port Cisco- AVPair = "ipv6- enable=1" Framed- IPv6- Prefix += fec0::/64 Mon Jun 30 13:37: : Info: Finished request 13. Session display RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all Mon Jun 30 11:36: UTC Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated, ID - Idle, DN - Disconnecting, ED - End Type Interface State Subscriber IP Addr / Prefix LNS Address (Vrf) PPPoE:PTA BE pppoe11 AC - fec0::/64 (default) RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Mon Jun 30 11:36: UTC Interface: Bundle- Ether pppoe11 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Down, Mon Jun 30 11:36: IPv6 State: Up, Mon Jun 30 11:36: Framed IPv6 Prefix: fec0::/64, VRF: default IPv6 Interface ID: >.T.._.A (3e ff fe 5f c0 41) IPv6 Up helpers: 0x {PPP,ND} IPv6 Up requestors: 0x {PPP,ND} Mac Address: 3c07.545f.c041 Account- Session Id: b Nas- Port: User name: V6PPP1@S99 Outer VLAN ID: 301 Inner VLAN ID: 99 Subscriber Label: 0x Created: Mon Jun 30 11:36: State: Activated Authentication: authenticated 132 of 237

133 Authorization: unauthorized Ifhandle: 0x Session History ID: 4 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Mon Jun 30 11:36: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_LCP [cerr: No error][aaa: Success] event Session- Activate match- first [at Mon Jun 30 11:36: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 authenticate aaa list S99_AAA_list [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA: Attribute List: 0x500f994c 1: ipv6- enable len= 4 value= 1(1) 2: prefix len= 18 value= fec0::/64 Services: Name : S99_DT_LCP Service- ID : 0x400003e Type : Template Status : Applied [Last IPv4 down] Disconnect Reason: Disconnect Cause: AAA_DISC_CAUSE_DEFAULT (0) Abort Cause: AAA_AV_ABORT_CAUSE_NO_REASON (0) Terminate Cause: AAA_AV_TERMINATE_CAUSE_NONE (0) Disconnect called by: [iedge internal] [Event History] Jun 30 11:36: SUBDB produce done [many] Jun 30 11:36: IPv6 Up [many] RP/0/RSP0/CPU0:Roy_BNG_1#sh route ipv6 Mon Jun 30 11:36: UTC A fec0::/64 is directly connected, 00:00:23, Bundle- Ether pppoe11 RP/0/RSP0/CPU0:Roy_BNG_1#sh route ipv6 fec0::/64 detail Mon Jun 30 11:37: UTC Routing entry for fec0::/64 Known via "subscriber", distance 2, metric 0 (connected) Installed Jun 30 11:36: for 00:00:39 Routing Descriptor Blocks directly connected, via Bundle- Ether pppoe11 Route metric is 0 Label: 0x12e0 (4832) Tunnel ID: None Extended communities count: 0 NHID:0x0(Ref:0) Route version is 0x1 (1) No local label IP Precedence: Not Set QoS Group ID: Not Set Route Priority: RIB_PRIORITY_RECURSIVE (8) SVD Type RIB_SVD_TYPE_LOCAL Download Priority 3, Download Version 1 No advertising protos. 133 of 237

134 RP/0/RSP0/CPU0:Roy_BNG_1#sh pool ipv6 Mon Jun 30 11:37: UTC Used: 0 Excl: 0 Free: Total: Utilization: 0% Allocation Summary Pool Name Pool ID VRF Used Excl Free Total PD_pool 46 default pppoe_poolv6 48 default v6_pool_1 47 default ipv6cp negotiation( debug ppp negotiation) RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Initial]: I CONFREQ id 1 len 14 RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Initial]: Conf- Req packet stalled RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Initial]: Interface- Id 3e07:54ff:fe5f:c041 (0x010a3e0754fffe5fc041) RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Initial]: Open Event RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Initial]: Change to state Starting RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Starting]: Report This- Layer- Started RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Starting]: Up Event RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Starting]: Initialize- Restart- Counter RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Starting]: O CONFREQ id 1 len 14 RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Starting]: Interface- Id e6c7:22ff:fe3a:d1f8 (0x010ae6c722fffe3ad1f8) RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Req- Sent]: Restarting stalled Conf- Req packet RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Req- Sent]: I CONFREQ id 1 len 14 RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Starting]: Change to state Req- Sent RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Req- Sent]: Interface- Id 3e07:54ff:fe5f:c041 (0x010a3e0754fffe5fc041) RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Req- Sent]: O CONFACK id 1 len 14 - packet STALLED RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Req- Sent]: Interface- Id 3e07:54ff:fe5f:c041 (0x010a3e0754fffe5fc041) RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Req- Sent]: Change to state Ack- Sent RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Ack- Sent]: I CONFACK id 1 len 14 RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Ack- Sent]: Interface- Id e6c7:22ff:fe3a:d1f8 (0x010ae6c722fffe3ad1f8) RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Ack- Sent]: Initialize- Restart- Counter RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Ack- Sent]: Change to state Open RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Open]: Report This- Layer- Up 134 of 237

135 RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Open]: O CONFACK id 1 len 14 - after DELAY RP/0/RSP0/CPU0:Jun 30 13:35: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe12: [Open]: Interface- Id 3e07:54ff:fe5f:c041 (0x010a3e0754fffe5fc041) NO V6 FRAMED-INTERFACE-ID FOR PPPOE PTA SESSION USING SLAAC Function To specify the IPv6 framed- interface- id assigned to a PPPoE client using SLAAC. Attributes Framed- Interface- Id = 0260:08FF:FEFF:FFFF Referred configura.on on BNG n/a Equivalent con.iguration in dynamic- template dynamic-template type ppp TEST ppp ipv6cp peer-interface-id? WORD 64-bit Peer Interface-ID (hex value without leading 0x) Notes - The Framed- Interface- Id Attribute indicates the IPv6 interface identifier to be configured for the user. It MAY be used in Access- Accept packets. - See detail usage in No. 33 V6 prefix for PPPoE PTA session using SLAAC Example of interface- id with V6 pre.ix user pro.ile in radius server V6PPP3@S99 Cleartext- Password := "cisco" Cisco- avpair = "ipv6- enable=1", Framed- Interface- Id += 0260:08FF:FEFF:FFFF, Framed- Ipv6- Prefix += FEC0:0000:0000:0000:0000:0000:0000:0000/64 radius server log 135 of 237

136 rad_recv: Access- Request packet from host port 28597, id=62, lengt h=245 Cisco- AVPair = "client- mac- address=3c07.545f.c041" Acct- Session- Id = " " NAS- Port = NAS- Port- Id = "0/0/301/99.301" Cisco- NAS- Port = "0/0/301/99.301" User- Name = "V6PPP3@S99" Service- Type = Framed- User User- Password = "cisco" X- Ascend- Connect- Progress = LCP- Opened Cisco- AVPair = "connect- progress=lcp Open" Framed- Protocol = PPP NAS- Port- Type = 37 Called- Station- Id = "99" Calling- Station- Id = "3c07.545f.c041" Event- Timestamp = NAS- Identifier = "Roy_BNG_1" NAS- IP- Address = Mon Jun 30 14:04: : Info: # Executing section authorize from file../etc/ Sending Access- Accept of id 62 to port Cisco- AVPair = "ipv6- enable=1" Framed- Interface- Id += 260:8ff:feff:ffff Framed- IPv6- Prefix += fec0::/64 Mon Jun 30 14:04: : Info: Finished request 0. BNG session display RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Mon Jun 30 14:03: UTC Interface: Bundle- Ether pppoe17 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Down, Mon Jun 30 14:03: IPv6 State: Up, Mon Jun 30 14:03: Framed IPv6 Prefix: fec0::/64, VRF: default IPv6 Interface ID:.`... ( ff fe ff ff ff) IPv6 Up helpers: 0x {PPP,ND} IPv6 Up requestors: 0x {PPP,ND} Mac Address: 3c07.545f.c041 Account- Session Id: Nas- Port: User name: V6PPP3@S99 Outer VLAN ID: 301 Inner VLAN ID: 99 Subscriber Label: 0x b Created: Mon Jun 30 14:03: State: Activated Authentication: authenticated Authorization: unauthorized Ifhandle: 0x000017a0 Session History ID: 7 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Mon Jun 30 14:03: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 136 of 237

137 10 activate dynamic- template S99_DT_LCP [cerr: No error][aaa: Success] event Session- Activate match- first [at Mon Jun 30 14:03: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 authenticate aaa list S99_AAA_list [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA: Attribute List: 0x500f997c 1: ipv6- enable len= 4 value= 1(1) 2: Interface- Id len= 8 value= ff fe ff ff ff 3: prefix len= 18 value= fec0::/64 Services: Name : S99_DT_LCP Service- ID : 0x400003e Type : Template Status : Applied [Last IPv4 down] Disconnect Reason: Disconnect Cause: AAA_DISC_CAUSE_DEFAULT (0) Abort Cause: AAA_AV_ABORT_CAUSE_NO_REASON (0) Terminate Cause: AAA_AV_TERMINATE_CAUSE_NONE (0) Disconnect called by: [iedge internal] [Event History] Jun 30 14:03: SUBDB produce done [many] Jun 30 14:03: IPv6 Up [many] RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1#sh route ipv6 subscriber Mon Jun 30 14:03: UTC A fec0::/64 is directly connected, 00:00:23, Bundle- Ether pppoe17 IPC6CP negotiation ( debug ppp negotiation) RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Initial]: I CONFREQ id 1 len 14 RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Initial]: Interface- Id 3e07:54ff:fe5f:c041 (0x010a3e0754fffe5fc041) RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Initial]: Conf- Req packet stalled RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Initial]: Open Event RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Initial]: Change to state Starting RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Starting]: Report This- Layer- Started RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Starting]: Up Event RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Starting]: Initialize- Restart- Counter RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Starting]: Interface- Id e6c7:22ff:fe3a:d1f8 (0x010ae6c722fffe3ad1f8) RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Starting]: Change to state Req- Sent RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Req- Sent]: Restarting stalled Conf- Req packet RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Req- Sent]: I CONFREQ id 1 len 14 RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Req- Sent]: Interface- Id 3e07:54ff:fe5f:c041 (0x010a3e0754fffe5fc041) RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Req- Sent]: O CONFNAK id 1 len of 237

138 RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Req- Sent]: Interface- Id 0260:08ff:feff:ffff (0x010a026008fffeffffff) RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Starting]: O CONFREQ id 1 len 14 RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Req- Sent]: I CONFACK id 1 len 14 RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Req- Sent]: Interface- Id e6c7:22ff:fe3a:d1f8 (0x010ae6c722fffe3ad1f8) RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Req- Sent]: Initialize- Restart- Counter RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Req- Sent]: Change to state Ack- Rcvd RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Ack- Rcvd]: I CONFREQ id 2 len 14 RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Ack- Rcvd]: Interface- Id 0260:08ff:feff:ffff (0x010a026008fffeffffff) RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Ack- Rcvd]: O CONFACK id 2 len 14 - packet STALLED RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Ack- Rcvd]: Change to state Open RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Ack- Rcvd]: Interface- Id 0260:08ff:feff:ffff (0x010a026008fffeffffff) RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Open]: Report This- Layer- Up RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Open]: O CONFACK id 2 len 14 - after DELAY RP/0/RSP0/CPU0:Jun 30 13:54: : PPP- MA[363]: IPv6CP: Bundle- Ether pppoe16: [Open]: Interface- Id 0260:08ff:feff:ffff (0x010a026008fffeffffff NO V6 FRAMED-IPV6-POOL FOR PPPOE PTA SESSION USING SLAAC Function To specify the IPv6 prefix pool from which to assign a v6 prefix to a PPPoE client using SLAAC. Attributes Cisco- avpair = ipv6- addr- pool= pppoe_poolv6 or Framed- Ipv6- Pool = pppoe_poolv6 Referred configura.on on BNG pool vrf default ipv6 pppoe_poolv6 prefix-length 64 prefix-range 20:1:1:: 20:1:1:3fff:: 138 of 237

139 Equivalent con.iguration in dynamic- template dynamic-template type ppp TEST ipv6 nd framed-prefix-pool pppoe_poolv6 Notes - Applicable for PPPoEv6 or DS PTA session using SLAAC(or called ND) for V6 addressing. - For SLAAC, apart from the V6 prefix, the client also need to learn the prefix length and the framed- interface- id to build the complete V6 address. Usually they are downloaded from radius server on authenticaiton. - framed- ipv6- prefix could be specified from radius, and BNG will negotiate it to Client using ICMPv6 protocol RA message. - framed- prefix- lenth could be specified from radius. BNG will negotiate it to Client using ICMPv6 protocol RA message. - framed- interface- id could be specified from radius and negotiate to Client using PPP IPv6CP protocol, or let the client to determine it s interface- id by itself. - By downloading Framed- Ipv6- Pool from radius, you need to have the v6 pool predefined on the BNG with perfix- length and prefix- ranged defined. On receiving the attribute, BNG will pick a prefix from the local defined pool and negotiate the prefix and prefix- length using ICMPv6 RA to the client. you don t need to download the prefix- len from radius server since it s already defined in the v6 pool. And the interface- id is optional here. - A subscriber route will be created in the v6 routing table for this prefix. - Never include this attribute in the access- accept for a LAC session. Example of framed- ipv6- pool user- pro.ile in radius server V6PPP4@S99 Cleartext- Password := "cisco" Cisco- avpair = "ipv6- enable=1", Framed- Ipv6- Pool += pppoe_poolv6 session information RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Wed Jul 9 10:48: UTC Interface: Bundle- Ether pppoe5 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Wed Jul 9 10:48: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {PPP} 139 of 237

140 IPv4 Up requestors: 0x {PPP} IPv6 State: Up, Wed Jul 9 10:48: Framed IPv6 Prefix: 20:1:1::/64, VRF: default IPv6 Interface ID: >.T.._.A (3e ff fe 5f c0 41) IPv6 Up helpers: 0x {PPP,ND} IPv6 Up requestors: 0x {PPP,ND} Mac Address: 3c07.545f.c041 Account- Session Id: Nas- Port: User name: V6PPP4@S99 Outer VLAN ID: 101 Inner VLAN ID: 99 Subscriber Label: 0x Created: Wed Jul 9 10:48: State: Activated Authentication: authenticated Authorization: unauthorized Ifhandle: 0x000014a0 Session History ID: 5 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Wed Jul 9 10:48: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_LCP [cerr: No error][aaa: Success] event Session- Activate match- first [at Wed Jul 9 10:48: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 authenticate aaa list S99_AAA_list [cerr: No error][aaa: Success] 20 activate dynamic- template S99_DT_PTA_MIN [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA: Attribute List: 0x500f9a80 1: ipv6- enable len= 4 value= 1(1) 2: Services: Name : S99_DT_LCP Service- ID : 0x400003e Type : Template Status : Applied Name : S99_DT_PTA_MIN Service- ID : 0x400005a Type : Template Status : Applied [Event History] Jul 9 10:48: SUBDB produce done [many] Jul 9 10:48: IPv4 Up Jul 9 10:48: IPv6 Up [many] RP/0/RSP0/CPU0:Roy_BNG_1#sh pool ipv6 Wed Jul 9 10:48: UTC Allocation Summary Used: 1 Excl: 0 Free: Total: of 237

141 Utilization: 0% Pool Name Pool ID VRF Used Excl Free Total PD_pool 46 default pppoe_poolv6 48 default v6_pool_1 47 default RP/0/RSP0/CPU0:Roy_BNG_1# RP/0/RSP0/CPU0:Roy_BNG_1#sh route ipv6 subscriber Wed Jul 9 10:49: UTC A 20:1:1::/64 is directly connected, 00:00:50, Bundle- Ether pppoe5 RP/0/RSP0/CPU0:Roy_BNG_1# No V6 framed- route for PPP and IPoE Function To specify the IPv6 route associated to a session. Attributes Framed- IPv6- Route += "45:1:1:1:2:3:4:5/128 :: 4 tag 5" The syntax is Framed- Route = vrf <prepix VRF> <prepix> <prepix mask> vrf <next hop vrf> <next hop prepix> <AD> tag <tag id> Referred configura.on on BNG n/a Equivalent con.iguration in dynamic- template n/a Notes 141 of 237

142 - For PPPoE and IPoE, this attribute is supported from (got some bug which will be Pixed in 520 release) - There are some feature disparities between PPPoE and IPoE - PPPoE - Cross VRF route is not supported, which means that the session, the prepix and next- hop of the route must be in the same VRF, the route will be installed into the VRF to which the session belong ( the vrf specipied by dyamic- template or Avpair vrf- id coming along with the framed- route on authentication). - COA pushing is not supported. - To install a framed- ipv6- route into a VRF ( for example VRF_1) where the session is reside in, you can download following attribute from the radius Cisco- AVpair= vrf- id=vrf_1 Framed- IPv6- Route += "45:1:1:1:2:3:4:5/128 :: 4 tag 5" The route 45:1:1:1:2:3:4:5/128 will be installed to vrf VRF_1 - IPoE - Cross VRF route is supported. The session and prepix could be in one VRF, the next- hop could be in another vrf. - COA pushing is supported for IPoE session. - Never include this attribute in the access- accept for a LAC session. NO FRAMED-IPV6-ADDRESS FOR DHCPV6 FOR BOTH PPPOE AND IPOE Function To specify the IPv6 address (with /128) assigned to a DHCPv6 client for IA- NA. This is applicable for DHCPv6 triggered IPoE session, and PPP session using DHCPv6 to obtain v6 IP- NA when ASR9K BNG act as a DHCPv6 server influenced by RADIUS server( DHCPv6 radius proxy mode). Attributes 142 of 237

143 Cisco- avpair = addrv6= FEC0:0000:0000:0000:0260:08FF:FEFF:FFFF or Framed- Ipv6- Address = FEC0:0000:0000:0000:0260:08FF:FEFF:FFFF Note: The IETF a+ribute Framed- Ipv6- Address has not been supported yet since when the V6 RADIUS is developed on ASR9K, the RFC defined this a+ribute was s7ll a drah. it will be supported in release. Including this one, we have totally DHCPv6 related IETF a+ributes get alterna7ve Cisco AVpair before IETF cisco AVPair Framed-ipv6-Address Stateful-IPv6-Address-Pool Delegated-IPv6-Prefix-Pool DNS-Server-IPv6-Address Referred configura.on on BNG PPPoE DHCPv6 addrv6=<ipv6 address> stateful-ipv6-address-pool=<name> delegated-ipv6-pool=<name> ipv6-dns-servers-addr=<ipv6 address> dhcp ipv6 profile SERVER server lease 4 dns-server 2011::1 domain-name cisco.com interface subscriber-pppoe profile SERVER or IPoE DHCPv6 dhcp ipv6 profile SERVER server lease 4 dns-server 2011::1 domain-name cisco.com interface Bundle-Ether server profile SERVER Equivalent con.iguration in dynamic- template n/a 143 of 237

144 Notes - This is applicable for DHCPv6 triggered IPoE session, and PPP session using DHCPv6 to obtain v6 IP- NA when ASR9K BNG act as a DHCPv6 server influenced by RADIUS server( DHCPv6 radius proxy mode). - Here the ASR9K must act as a DHCPv4 server, this is part of the so called DHCP radius proxy feature.. - The ipv4 address will be negotiate with client via DHCPv6. protocol as IA- NA, only / 128 v6 address could be assigned in this way. - A subscriber route will be created in the v6 routing table for this v6 address. - Note, the RADIUS specified address assigned to subscriber is not reflected in the usage of local IPv6 pool. In fact, with specific ipv6 address assigned by radius, you do not even need an IPv6 pool configured locally in this case, but you can still Find the dhcp binding entry for that session. NO STATEFUL-IPV6-ADDRESS-POOL FOR DHCPV6 FOR BOTH PPPOE AND IPOE Function To specify the IPv6 address pool for IA- NA from which a ipv6 address (with /128) is assigned to a DHCPv6 client for IA- NA. This is applicable for DHCPv6 triggered IPoE session, and PPP session using DHCPv6 to obtain v6 IP- NA when ASR9K BNG act as a DHCPv6 server influenced by RADIUS server( DHCPv6 radius proxy mode). Attributes Cisco- avpair = stateful- ipv6- address- pool= v6_pool_1 or Stateful- IPv6- Address- Pool = v6_pool_1 Note: The IETF a+ribute Stateful- IPv6- Address- Pool has not been supported yet since when the V6 RADIUS is developed on ASR9K, the RFC defined this a+ribute was s7ll a drah. it will be supported in release. Including this one, we have totally DHCPv6 related IETF a+ributes get alterna7ve Cisco AVpair before IETF cisco AVPair Framed-ipv6-Address addrv6=<ipv6 address> 144 of 237

145 IETF Stateful-IPv6-Address-Pool Delegated-IPv6-Prefix-Pool DNS-Server-IPv6-Address Referred configura.on on BNG PPPoE DHCPv6 cisco AVPair stateful-ipv6-address-pool=<name> delegated-ipv6-pool=<name> ipv6-dns-servers-addr=<ipv6 address> pool vrf default ipv6 v6_pool_1 address-range 2001::2 2001::ffff dhcp ipv6 profile SERVER server lease 4 dns-server 2011::1 domain-name cisco.com address-pool v6_pool_1 interface subscriber-pppoe profile SERVER or IPoE DHCPv6 pool vrf default ipv6 v6_pool_1 address-range 2001::2 2001::ffff dhcp ipv6 profile SERVER server lease 4 dns-server 2011::1 domain-name cisco.com address-pool v6_pool_1 interface Bundle-Ether server profile SERVER Equivalent con.iguration in dynamic- template dynamic-template type ppp TEST dhcpv6 address-pool v6_pool_1 or dynamic-template type ipsub TEST dhcpv6 address-pool v6_pool_1 145 of 237

146 Notes - This is applicable for DHCPv6 triggered IPoE session, and PPP session using DHCPv6 to obtain v6 IP- NA when ASR9K BNG act as a DHCPv6 server influenced by RADIUS server( DHCPv6 radius proxy mode). - Here the ASR9K must act as a DHCPv6 server, this is part of the so called DHCP radius proxy feature.. - The ipv6 address will be negotiate with client via DHCPv6 protocol as IA- NA, only / 128 v6 address could be assigned in this way. - You can still Find the dhcp binding entry for that session, and use show pool ipv6 to check the usage of v6 pool. NO DELEGATED-IPV6-PREFIX-POOL FOR DHCPV6 FOR BOTH PPPOE AND IPOE Function To specify the IPv6 pool for IA- PD, from which a ipv6 prefix is assigned to a DHCPv6 client for IA- PD. This is applicable for DHCPv6 triggered IPoE session, and PPP session using DHCPv6 to obtain v6 IP- PD when ASR9K BNG act as a DHCPv6 server influenced by RADIUS server( DHCPv6 radius proxy mode). Attributes Cisco- avpair = delegated- ipv6- pool= PD_pool or Delegated- IPv6- Prefix- Pool = PD_pool Note: The IETF a+ribute Delegated- IPv6- Prefix- Pool has not been supported yet since when the V6 RADIUS is developed on ASR9K, the RFC defined this a+ribute was s7ll a drah. it will be supported in release. Including this one, we have totally DHCPv6 related IETF a+ributes get alterna7ve Cisco AVpair before IETF cisco AVPair Framed-ipv6-Address Stateful-IPv6-Address-Pool Delegated-IPv6-Prefix-Pool addrv6=<ipv6 address> stateful-ipv6-address-pool=<name> delegated-ipv6-pool=<name> 146 of 237

147 IETF DNS-Server-IPv6-Address Referred configura.on on BNG PPPoE DHCPv6 cisco AVPair ipv6-dns-servers-addr=<ipv6 address> pool vrf default ipv6 PD_pool prefix-length 64 prefix-range 2002:1:1:: 2002:1:1:ffff:: dhcp ipv6 profile SERVER server lease 4 dns-server 2011::1 domain-name cisco.com prefix-pool PD_pool interface subscriber-pppoe profile SERVER or IPoE DHCPv6 pool vrf default ipv6 PD_pool prefix-length 64 prefix-range 2002:1:1:: 2002:1:1:ffff:: dhcp ipv6 profile SERVER server lease 4 dns-server 2011::1 domain-name cisco.com prefix-pool PD_pool interface Bundle-Ether server profile SERVER Equivalent con.iguration in dynamic- template dynamic-template type ppp TEST dhcpv6 delegated-prefix-pool PD_pool or dynamic-template type ipsub TEST dhcpv6 delegated-prefix-pool PD_pool 147 of 237

148 Notes - This is applicable for DHCPv6 triggered IPoE session, and PPP session using DHCPv6 to obtain v6 IP- NA when ASR9K BNG act as a DHCPv6 server influenced by RADIUS server( DHCPv6 radius proxy mode). - Here the ASR9K must act as a DHCPv6 server, this is part of the so called DHCP radius proxy feature.. - The ipv6 prefix will be negotiated with client via DHCPv6 protocol as IA- PD. - A subscriber route will be created in the v6 routing table for this v6 delegated prefix. - You can still Find the dhcp binding entry for that session, and use show pool ipv6 to check the usage of v6 pool. NO V6 DNS SERVER FOR DHCPV6 FOR BOTH PPPOE AND IPOE Function To specify the IPv6 DNS server address. This is applicable for DHCPv6 triggered IPoE session, and PPP session using DHCPv6 to obtain v6 DNS( so called stateless DHCPv6 for PPPoE) when ASR9K BNG act as a DHCPv6 server influenced by RADIUS server( DHCPv6 radius proxy mode). Attributes Cisco- avpair = ipv6- dns- servers- addr=2002::1 or DNS- Server- IPv6- Address = 2002::1 Note: The IETF a+ribute DNS- Server- IPv6- Address has not been supported yet since when the V6 RADIUS is developed on ASR9K, the RFC defined this a+ribute was s7ll a drah. it will be supported in release. Including this one, we have totally DHCPv6 related IETF a+ributes get alterna7ve Cisco AVpair before IETF cisco AVPair Framed-ipv6-Address Stateful-IPv6-Address-Pool Delegated-IPv6-Prefix-Pool DNS-Server-IPv6-Address addrv6=<ipv6 address> stateful-ipv6-address-pool=<name> delegated-ipv6-pool=<name> ipv6-dns-servers-addr=<ipv6 address> 148 of 237

149 Referred configura.on on BNG PPPoE DHCPv6 dhcp ipv6 profile SERVER server lease 4 domain-name cisco.com interface subscriber-pppoe profile SERVER or IPoE DHCPv6 dhcp ipv6 profile SERVER server lease 4 domain-name cisco.com interface Bundle-Ether server profile SERVER Equivalent con.iguration in dynamic- template dhcp ipv6 profile SERVER server lease 4 dns-server 2011::1 Notes - This is applicable for DHCPv6 triggered IPoE session, and PPP session using DHCPv6 to obtain v6 DNS server address when ASR9K BNG act as a DHCPv6 server influenced by RADIUS server( DHCPv6 radius proxy mode). - Here the ASR9K must act as a DHCPv6 server, this is part of the so called DHCP radius proxy feature.. - The ipv6 DNS will be negotiated with client via DHCPv6 protocol. NO DHCPV6 CLASS 149 of 237

150 Function To Specify the DHCP class under which you can specify the customised information. In this case, the radius server is involved to influence the behaviour of DHCPv6 server. Attributes Cisco- avpair = dhcpv6- class=dhcp- hgw- vobb Referred configura.on on BNG Similar to DHCPv4 counterpart. Equivalent con.iguration in dynamic- template dynamic-template type ppp TEST dhcpv6 class-name dhcp-hgw-vobb or dynamic-template type ipsub TEST dhcpv6 class-name dhcp-hgw-vobb Notes - Applicable for DHCPv6 triggered IPoE session, and PPP session using DHCPv6 to obtain IA- NA/IA- PD or v6 DNS server information. - Here the ASR9K must act as a DHCPv6 server, this is part of the so called DHCP radius proxy feature.. NO V6 ACL Function To specify the name of in/out security IPv6 ACL or in/out IPv6 ABF(ACL based forwarding) applied to a session. 150 of 237

151 Attributes Cisco- avpair = ipv6_outacl=s99_acl_out_v6" Cisco- avpair = ipv6_inacl=s99_acl_in_v6" Referred configura.on on BNG Similar to it s v4 counterpart Equivalent con.iguration in dynamic- template dynamic-template type service TEST ipv6 access-group S99_ACL_in_v6 ingress dynamic-template type service TEST ipv6 access-group S99_ACL_out_v6 egress Notes - Applicable for all kinds of v6 sessions or DS sessions - Same method for ABF NO IPV6-UNREACHABLE Function To enable ipv6 ipv6- unreachable for subscriber session Attributes Cisco- avpair = ipv6- unreachable=0 Referred configura.on on BNG n/a Equivalent con.iguration in dynamic- template dynamic-template type service TEST ipv6 unreachables disable 151 of 237

152 Notes - Applicable for PPPoE/IPoE - Ipv6 ICMP unreachables are enabled by default on the session interface (sh ipv6 int Bundle- Ether pppoe13 to check). - The value of this AVPair could be 0 or 1 or whatever other mumber( tried 2 and 21 in person and both work as well), end in disabling the ipv6 ICMP unreachables. You can use 0 to make it more meaningful. NO IPV6 URPF Function To enable ipv6 urpf checking for subscriber packet Attributes Cisco- avpair = ipv6- strict- rpf=1 or Cisco- avpair = ipv6- strict- rpf=0 1 is for strict mode and 0 is for loose mode. Referred configura.on on BNG n/a Equivalent con.iguration in dynamic- template dynamic-template type service TEST ipv6 verify unicast source reachable-via rx Notes - Applicable for PPPoE/IPoE - by default the urpf is disabled on the session interface, ipv6- strict- rpf=1 turns on strict mode urpf and ipv6- strict- rpf=0 turns on loose mode urpf. A comprehensive example includes multiple v6 radius attributes. user pro.ile on RADIUS server V6PPP10@S99 Cleartext- Password := "cisco" Cisco- avpair = "ipv6- enable=1", Framed- Interface- Id += 0260:08FF:FEFF:FFFF, Framed- Ipv6- Prefix += FEC0:0000:0000:0000:0000:0000:0000:0000/64, Cisco- avpair += "ipv6- strict- rpf=1", 152 of 237

153 Cisco- avpair += "ipv6- unreachable=1", Cisco- avpair += "ipv6_outacl=s99_acl_out_v6", Cisco- avpair += "ipv6_inacl=s99_acl_in_v6" radius server log Sending Access- Accept of id 16 to port Cisco- AVPair = "ipv6- enable=1" Framed- Interface- Id += 260:8ff:feff:ffff Framed- IPv6- Prefix += fec0::/64 Cisco- AVPair += "ipv6- strict- rpf=1" Cisco- AVPair += "ipv6- unreachable=1" Cisco- AVPair += "ipv6_outacl=s99_acl_out_v6" Cisco- AVPair += "ipv6_inacl=s99_acl_in_v6" Wed Jul 09 14:24: : Info: Finished request 0. BNG session information RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Wed Jul 9 14:23: UTC Interface: Bundle- Ether pppoe10 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Wed Jul 9 14:23: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {PPP} IPv4 Up requestors: 0x {PPP} IPv6 State: Up, Wed Jul 9 14:23: Framed IPv6 Prefix: fec0::/64, VRF: default IPv6 Interface ID:.`... ( ff fe ff ff ff) IPv6 Up helpers: 0x {PPP,ND} IPv6 Up requestors: 0x {PPP,ND} Mac Address: 3c07.545f.c041 Account- Session Id: a Nas- Port: User name: V6PPP10@S99 Outer VLAN ID: 101 Inner VLAN ID: 99 Subscriber Label: 0x Created: Wed Jul 9 14:23: State: Activated Authentication: authenticated Authorization: unauthorized Ifhandle: 0x000015e0 Session History ID: 6 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Wed Jul 9 14:23: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_LCP [cerr: No error][aaa: Success] event Session- Activate match- first [at Wed Jul 9 14:23: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 153 of 237

154 10 authenticate aaa list S99_AAA_list [cerr: No error][aaa: Success] 20 activate dynamic- template S99_DT_PTA_MIN [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA: Attribute List: 0x500f9d38 1: ipv6- enable len= 4 value= 1(1) 2: Interface- Id len= 8 value= ff fe ff ff ff 3: prefix len= 18 value= fec0::/64 4: ipv6- strict- rpf len= 4 value= 1(1) 5: ipv6- unreachable len= 4 value= 1(1) 6: ipv6_outacl len= 14 value= S99_ACL_out_v6 7: ipv6_inacl len= 13 value= S99_ACL_in_v6 Services: Name : S99_DT_LCP Service- ID : 0x400003e Type : Template Status : Applied Name : S99_DT_PTA_MIN Service- ID : 0x400005a Type : Template Status : Applied [Event History] Jul 9 14:23: SUBDB produce done [many] Jul 9 14:23: IPv6 Up [many] Jul 9 14:23: IPv4 Up RP/0/RSP0/CPU0:Roy_BNG_1#sh route ipv6 subscriber Wed Jul 9 14:23: UTC A fec0::/64 is directly connected, 00:00:35, Bundle- Ether pppoe10 RP/0/RSP0/CPU0:Roy_BNG_1#sh ipv6 int Bundle- Ether pppoe10 Wed Jul 9 14:24: UTC Bundle- Ether pppoe10 is Up, ipv6 protocol is Up, Vrfid is default (0x ) IPv6 is enabled, link- local address is fe80::e6c7:22ff:fe3a:d1f3 No global unicast address is configured Joined group address(es): ff02::1:ff3a:d1f3 ff02::2 ff02::1 MTU is 1500 (1492 is available to IPv6) ICMP redirects are disabled ICMP unreachables are disabled ND DAD is disabled, number of DAD attempts 0 ND reachable time is 0 milliseconds ND cache entry limit is ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 160 to 240 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. Outgoing access list is not set Inbound access list is not set Table Id is 0xe IP unicast RPF check is enabled RPF mode strict Complete protocol adjacency: 0 Complete glean adjacency: 0 Incomplete protocol adjacency: 0 Incomplete glean adjacency: of 237

155 Dropped protocol request: 0 Dropped glean request: 0 RP/0/RSP0/CPU0:Roy_BNG_1#sh access- lists ipv6 interface Bundle- Ether pppoe10 Wed Jul 9 14:25: UTC Input ACL (common): N/A (interface): S99_ACL_in_v6 Output ACL: S99_ACL_out_v6 RP/0/RSP0/CPU0:Roy_BNG_1# NO SERVICE-ACTIVATE Function To enable a service defined locally on the ASR9K BNG as a dynamic- template. Attributes Cisco- avpair = sa=s99_service_2 Here the sa" stand for service ac7vate. The string follows = is the name of the service which must match the name of the dynamic- template defined on the BNG box. Referred configura.on on BNG dynamic-template type service S99_SERVICE_2 <- the type could also be ppp or ipsub service-policy input S99_IN_POLICING_1M service-policy output S99_OUT_SHAPING_9M_H ipv4 access-group S99_ACL_in_2 ingress ipv4 access-group S99_ACL_out_2 egress policy-map S99_IN_POLICING_1M class class-default police rate 1 mbps end-policy-map policy-map S99_OUT_SHAPING_9M_H class class-default service-policy S99_OUT_SHAPING_9M_CHILD shape average 9 mbps end-policy-map 155 of 237

156 policy-map S99_OUT_SHAPING_9M_CHILD class CM_VIDEO_IPP priority level 1 police rate 8 mbps class class-default end-policy-map ipv4 access-list S99_ACL_in_2 20 permit ipv4 any any ipv4 access-list S99_ACL_out_2 10 permit ipv4 any any Equivalent con.iguration in dynamic- template This is not to apply an individual feature, instead, it s to apply an service as a whole, so the equivalent configuration on box is not on the dynamic- template level, instead, the right way is to activate a dynamic- template in the control policy which is attached to a access- interface and effective to all of the session nested under that access- interface. policy-map type control subscriber S99_CP_PTA_BASIC event session-start match-first class type control subscriber S99_PTA do-until-failure 10 activate dynamic-template S99_DT_LCP event session-activate match-first class type control subscriber S99_PTA do-until-failure 10 authenticate aaa list S99_AAA_list 20 activate dynamic-template S99_SERVICE_2 Notes - Applicable for PPPoE/IPoE. - A user profile with only AVPair sa=<service- name> dose not work, a workaround is to add a dummy attribute, for example, a service- type ###This profile does not work## PPP3@S99 Cleartext- Password := "cisco" Cisco- avpair += "sa=httprdrt_tpl_1", Cisco- avpair += sa=s99_service_2" ####following profile works### 156 of 237

157 Cleartext- Password := "cisco" Service- Type = framed, Cisco- avpair += "sa=httprdrt_tpl_1", Cisco- avpair += "sa=s99_service_2" - Multiple Cisco- avpair = sa=<service- name> could be included in the same access- accept, to activate multiple dynamic- template in one time on authentication. - A dynamic- template with the same <service- name> must be configured on the ASR9K BNG so that the Cisco- avpair = sa=<service- name> can call that dynamic- template. To trigger a service authorization ( sending access request with username of <service- name> to download a service- profile from radius server) is not supported as of now (5.1.1 release). - Service activation is able to coexist with individual feature enablement by downloading other radius attributes. - To enable some particular feature on a session, configuration can only come from a dynamic- template and there is no equivalent radius attribute, for example, session based SPAN (traffic mirroring). The approach of radius based service activating give you the Flexibility to enable those feature on a per session basis. Example of service activate user pro.ile in radius server PPP3@S99 Cleartext- Password := "cisco" Cisco- avpair = "ipv4- unnumbered=loopback1099", Cisco- avpair += "addr- pool=s99_pool_pppv4", Cisco- avpair += "sa=httprdrt_tpl_1", Cisco- avpair += "sa=s99_service_2" radius server log Sending Access- Accept of id 163 to port Cisco- AVPair = "ipv4- unnumbered=loopback1099" Cisco- AVPair += "addr- pool=s99_pool_pppv4" Cisco- AVPair += "sa=httprdrt_tpl_1" Cisco- AVPair += "sa=s99_service_2" BNG session information RP/0/RSP0/CPU0:Roy_BNG_1#sh run policy- map t c s S99_CP_PTA_BASIC policy- map type control subscriber S99_CP_PTA_BASIC event session- start match- first class type control subscriber S99_PTA do- until- failure 157 of 237

158 10 activate dynamic- template S99_DT_LCP event session- activate match- first class type control subscriber S99_PTA do- until- failure 10 authenticate aaa list S99_AAA_list 20 activate dynamic- template S99_DT_PTA_MIN RP/0/RSP0/CPU0:Roy_BNG_1# sh run dynamic- template t ppp S99_DT_LCP Fri Jul 11 11:14: UTC dynamic- template type ppp S99_DT_LCP ppp authentication pap chap ppp mru ignore ppp ipcp mask ipv4 mtu 700 RP/0/RSP0/CPU0:Roy_BNG_1# sh run dynamic- template t ppp S99_DT_PTA_MIN Fri Jul 11 11:15: UTC dynamic- template type ppp S99_DT_PTA_MIN ppp ipcp peer- address pool S99_POOL_PPPV4 ipv4 unnumbered Loopback1099 RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Fri Jul 11 11:12: UTC Interface: Bundle- Ether pppoe25 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Fri Jul 11 11:07: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {PPP} IPv4 Up requestors: 0x {PPP} IPv6 State: Down, Fri Jul 11 11:07: Mac Address: 3c07.545f.c041 Account- Session Id: Nas- Port: User name: PPP3@S99 Outer VLAN ID: 101 Inner VLAN ID: 99 Subscriber Label: 0x Created: Fri Jul 11 11:07: State: Activated Authentication: authenticated Authorization: unauthorized Ifhandle: 0x00001ba0 Session History ID: 19 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Fri Jul 11 11:07: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_LCP [cerr: No error][aaa: Success] event Session- Activate match- first [at Fri Jul 11 11:07: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 authenticate aaa list S99_AAA_list [cerr: No error][aaa: Success] 20 activate dynamic- template S99_DT_PTA_MIN [cerr: No error][aaa: Success] 158 of 237

159 Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA:< the AVpair sa=xxx is not listed here as a attribute Attribute List: 0x500f9e70 1: ipv4- unnumbered len= 12 value= Loopback1099 2: addr- pool len= 14 value= S99_POOL_PPPV4 Services: Name : S99_DT_LCP <- this is the dynamic- template called by the control policy Service- ID : 0x400003e Type : Template Status : Applied Name : HTTPRDRT_TPL_1 < instead, it s reflected as a service activated Service- ID : 0x400002c Type : Multi Template Status : Applied Name : S99_SERVICE_2 < instead, it s reflected as a service activated Service- ID : 0x400002a Type : Multi Template Status : Applied Name : S99_DT_PTA_MIN <- this is the dynamic- template called by the control policy Service- ID : 0x400005a Type : Template Status : Applied [Last IPv6 down] Disconnect Reason: Disconnect Cause: AAA_DISC_CAUSE_DEFAULT (0) Abort Cause: AAA_AV_ABORT_CAUSE_NO_REASON (0) Terminate Cause: AAA_AV_TERMINATE_CAUSE_NONE (0) Disconnect called by: [iedge internal] [Event History] Jul 11 11:07: SUBDB produce done [many] Jul 11 11:07: IPv4 Up RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber running- config subscriber- label 0x Fri Jul 11 11:13: UTC this is a display for release Subscriber Label: 0x52 dynamic- template type ppp S99_DT_LCP ipv4 mtu 700 dynamic- template type service HTTPRDRT_TPL_1 service- policy type pbr HTTPRDRT_PBR_1 dynamic- template type service S99_SERVICE_2 ipv4 access- group S99_ACL_in_2 ingress 159 of 237

160 dynamic- template type service S99_SERVICE_2 ipv4 access- group S99_ACL_out_2 egress dynamic- template type ppp S99_DT_LCP ppp ipcp mask dynamic- template type ppp S99_DT_LCP ppp authentication pap chap dynamic- template type ppp S99_DT_LCP ppp mru ignore dynamic- template type service S99_SERVICE_2 service- policy input S99_IN_POLICING_1M dynamic- template type service S99_SERVICE_2 service- policy output S99_OUT_SHAPING_9M_H NO SERVICE-DEACTIVATE Function To disable a service which has been activated before. Attributes Cisco- avpair = sd= HTTPRDRT_TPL Here the sd" stand for service deac7vate. The string follows = is the name of the service which must match the name of a dynamic- template or service ac7vated on the BNG. 160 of 237

161 Referred configura.on on BNG n/a Equivalent con.iguration in dynamic- template This is to deactivate dan service as a whole, so the equivalent configuration on box is not on the dynamic- template level, instead, the right way is teo activate a dynamic- template in the control policy which is attached to a access- interface and effective to all of the session nested under that access- interface. policy-map type control subscriber IPoE_WLAN event session-start match-first class type control subscriber IP do-until-failure 10 activate dynamic-template UNAUTH_TPL 20 authorize aaa list IPoE_WLAN format USERNAME password cisco event authorization-failure match-first class type control subscriber IP do-until-failure 10 activate dynamic-template HTTPRDRT_TPL 20 set-timer UNAUTH_TMR 3 event account-logon match-first class type control subscriber IP do-until-failure 10 authenticate aaa list IPoE_WLAN 20 deactivate dynamic-template HTTPRDRT_TPL event timer-expiry match-first class type control subscriber UNAUTH_TMR_CM do-until-failure 10 disconnect end-policy-map Notes - Applicable for PPPoE/IPoE. - The service need to be deactivate must be present on the session, use show subs sess detail internal to check what services are applied. - Not all of the service could be deactivate, for example, it s not possible to deactivate a service defined the VRF- ID, or the authentication protocol. NO L2TP LAC/VPDN RELATED ATTRIBUTES 161 of 237

162 Function The attributes to specify the parameters for L2TP LAC functionality. For more detail on how to configure L2TP LAC on ASR9000 BNG, please visit configuration/guide/b- bng- cg52xasr9k/b- bng- cg52xasr9k_chapter_0101.html#concept_a9f34995a4c54e73909cd490bc9f27a8 Attributes Following table lists all of the supported Cisco- VSA(AVPair) and it s equivalent IETF attributes as of release. Cisco-VSA IETF Radius Attribute Respective Local Config Description Cisco- avpair = "vpdn:tunnel- type=l2tp" Tunnel- Type 64 ( integer) protocol l2tp Tunneling protocol to be used. We will support only l2tp as the op7on. Cisco- avpair = "vpdn:ip- addresses= , / , " Tunnel- Server- Endpoint 67 (string) ipv4 des7na7on <address> LNS address. VSA: comma ',' is for load balancing, / defines failover groups Cisco- avpair = vpdn: ip- address- limits= N/A ipv4 des7na7on <address> limit <value> Should be in the same order as ip- addresses and each value is delimited by a space. Cisco- avpair = "vpdn:source- ip= " Tunnel- Client- Endpoint 68 (string) source ipv4 <address> Source address for the L2TP Tunnels. Cisco- avpair = "vpdn:tunnel- id=lac1" Tunnel- Client- Auth- ID 90 (string) local name <string> Local name for Tunnel Authen7ca7on. If not configured default to hostname. 162 of 237

163 Cisco- avpair = "vpdn:l2tp- tunnel- password=cisco" Tunnel- Password 69 (string) password 0 cisco in l2tp- class. Password for L2TP tunnel authen7ca7on. Cisco- avpair= vpdn:tunnel- medium- type=1 Tunnel- Medium- Type 65 (integer) N/A (by default it is IPv4) We only support IPv4 for this field, essen7ally this field could be ignored. Cisco- avpair= vpdn: tunnel- preference=10 Tunnel- Preference 83 (integer) N/A Provides load balance and failover capability between different groups of LNS. N/A Tunnel- Assignment- ID 82 (string) N/A Used to groups sessions from different vpdn- groups/domain profiles under the same tunnel. Cisco- avpair= gw- name=lns1 Tunnel- Server- Auth- ID 91 (string) N/A It is same as remote- name and is used for Tunnel authen7ca7on Cisco- avpair= vpdn: tunnel- tos- reflect=yes N/A ip tos reflect When reflect op7on is enabled, tos from inner ip header is copied to the L2TP tunnel IP header. Cisco- Avpair = vpdn: l2tp- tunnel- authen=yes, N/A l2tp tunnel authen7ca7on To enable tunnel authen7ca7on. Cisco- avpair = "vpdn:vpn- id=<value> N/A vpn id <value> VPN ID to be used to reach the LNS/peers in this vpdn- group. By default global- vrf will be used. 163 of 237

164 Cisco- avpair = "vpdn:vpn- vrf=<value> N/A vpn vrf <name> VPN VRF name to be used to reach the LNS/ peers in this vpdn- group. By default global- vrf will be used. Cisco- avpair= vpdn: tunnel- tos- sepng=2 N/A ip tos <value> TOS sepng for data- plane. Cisco- avpair= vpdn: vpdn- template=<value> N/A source vpdn- template <value> to set the tos of l2tp packet, default is 0. Cisco- avpair="vpdn:dsl- line- info- forwarding=1" N/A dsl- line- info- forwarding enable the L2TP Forwarding of PPPoE Tag Informa7on,allowing transfering of DSL line informa7on from the L2TP access concentrator (LAC) to the L2TP network server (LNS) Cisco- avpiar= vpdn: l2tp- clid- mask- method=<value> N/A l2tp a+ribute clid mask- method remove the <value> could be set to remove to suppress L2TPv2 Calling Sta7on ID Cisco- avpiar= vpdn: l2tp- tx- speed=<value> N/A l2tp tx- speed <config- string> see detail for the usage in following table Cisco- avpiar= vpdn: l2tp- rx- speed=<value> l2tp rx- speed <config- string> see detail for the usage in following table N/A Following table summarizes the values which can be configured though the attributes of tx/rx speed. These radius downloaded values will not have any effect on the QoS policy/hw rates. They are way to tell what need to be sent to LNS.When neither CLI nor user- profile contains tx/rx speed configuration options, then we will 164 of 237

165 send the PPPoE Tag line rates. If PPPoE tag not available then random value will be send to LNS. Config Mode A words, all of the LNS information need to be downloaded from radius server or called as part of a dynamic- template activated by a control policy. VPDN- group configuration is not supported. The IETF attribute Service- type=outbound- User must be included in the user- profile for a L2TP LAC session, so that the BNG knows it s a L2TP session and initiate the session to the LNS. BTW, for IPoE or PPPoE PTA session, the service- type in access- accept is not mandatory. usage of AVPair tx/rx speed l2tp-tx-speed=value l2tp-rx-speed=value <value> will be in kbps to be sent to LNS l2tp-tx-speed=ancp ANCP actual upstream downstream line rate. If Config Mode B ANCP values not l2tp-rx-speed=ancp available, send PPPoE Tag value. l2tp-tx-speed=ancp, value ANCP line rate value if Config Mode C available or else specified l2tp-rx-speed=ancp, value <value> from radius. Notes: Local authorization is not supported for IOS XR based L2TP at this stage, another If the PTA and LAC session are mixed under the same access- interface, be careful to build the control policy. LAC session fails if IPv4/IPv6 is enabled during session- start for L2TP session. - This could happen if you want to accommodate both PTA and LAC session in a common access- interace using a single control policy and rely on the access- accept from RADIUS server to tell if a session need to be treated as PTA or LAC session. - If there is a dynamic- template with IPv4/V6 enabled by including a "ipv4 unnumbered or IPv6 enable or other feature related to L3 forwarding activated upon session- start, and during session- activate your radius server 165 of 237

166 indicates that this session is a L2TP session and need to be tunnelled to a LNS, the L2TP session will fail to establish since and IPv4/V6 is not allowed for a LAC session. Please don't include any attributes related to the L3 forwarding parameter to a the access- accept for a L2TP session, such as ipv4- unnumbered, ipv6- enable, framed- route, vrf- id,etc. Here is a example to handle the situation that LAC and PTA session are terminated in the same access interface if some PTA related feature need to be applied from dynamic- template. aaa attribute format vpdn_domain username-strip dynamic-template type ppp LCP_FEATURE ppp timeout retry 3 ppp authentication pap ppp timeout authentication 5 type ppp PTA ppp ipcp dns ppp ipcp peer-address pool POOL_TELMEX accounting aaa list RADIUS type session periodic-interval 1 dualstack-delay 5 ipv4 mtu 1492 ipv4 verify unicast source reachable-via rx ipv4 unnumbered Loopback200 policy-map type control subscriber POLICY_PTA_LAC event session-start match-first class type control subscriber CLASS_PPP do-until-failure 10 activate dynamic-template LCP_FEATURE event session-activate match-first class type control subscriber CLASS_LAC do-until-failure 10 authorize aaa list RADIUS format vpdn_domain password cisco class type control subscriber CLASS_PPP do-until-failure 10 authenticate aaa list RADIUS 20 activate dynamic-template PTA class-map type control subscriber match-all CLASS_PPP match protocol ppp end-class-map class-map type control subscriber match-all CLASS_LAC 166 of 237

167 match domain retailer.com format vpdn_domain < this is an example, means you want to check the domain part of username and if it match the retailer.com, do LAC, otherwise do PTA interface Bundle-Ether service-policy type control subscriber POLICY_PTA_LAC pppoe enable encapsulation dot1q 200 IETF tagged LAC attribtues on LAC (RFC 2868) are supported from release, before that, the only way to achieve RADIUS based tunnel preference for load balancing and fail- over is the use of a Cisco proprietary Vendor SpeciFic Attribute (VSA). Service- type = Outbound- User, cisco:avpair = vpdn:tunnel- type=l2tp", cisco:avpair = vpdn:ip- addresses= , / , / , ", cisco:avpair = "vpdn:l2tp- tunnel- password=hello" This configuration is interpreted as: tunnel endpoints and are in Priority Group 1 tunnel endpoints and are in Priority Group 2 tunnel endpoints and are in Priority Group 3 Following is the equivalent IETF tagged attributes for the same purpose. Service- type=outbound- User, Tunnel- Type = :0:L2TP, Tunnel- Medium- Type = :0:IP, Tunnel- Server- Endpoint = :0:" ", Tunnel- Assignment- Id = :0:"1", Tunnel- Preference = :0:1, Tunnel- Password = :0:"hello" Tunnel- Type = :1:L2TP, Tunnel- Medium- Type = :1:IP, Tunnel- Server- Endpoint = :1:" ", Tunnel- Assignment- Id = :1:"1", Tunnel- Preference = :1:1, Tunnel- Password = :1:"hello" 167 of 237

168 Tunnel- Type = :2:L2TP, Tunnel- Medium- Type = :2:IP, Tunnel- Server- Endpoint = :2:" ", Tunnel- Assignment- Id = :2:"1", Tunnel- Preference = :2:2, Tunnel- Password = :2:"hello" Tunnel- Type = :3:L2TP, Tunnel- Medium- Type = :3:IP, Tunnel- Server- Endpoint = :3:" ", Tunnel- Assignment- Id = :3:"1", Tunnel- Preference = :3:2, Tunnel- Password = :3:"hello" Tunnel- Type = :4:L2TP, Tunnel- Medium- Type = :4:IP, Tunnel- Server- Endpoint = :4:" ", Tunnel- Assignment- Id = :4:"1", Tunnel- Preference = :4:3, Tunnel- Password = :4:"hello" Tunnel- Type = :5:L2TP, Tunnel- Medium- Type = :5:IP, Tunnel- Server- Endpoint = :5:" ", Tunnel- Assignment- Id = :5:"1", Tunnel- Preference = :5:3, Tunnel- Password = :5:"hello" Some example of user profile for L2TP LAC VPDN30161 Auth- type := Local, User- Password == "cisco" Framed- Protocol=PPP, Service- type=outbound- User, Cisco- AVPair += "vpdn:ip- addresses= ", Cisco- AVPair += "vpdn:source- ip= ", Cisco- AVPair += "vpdn:tunnel- password=spirent", Cisco- AVPair += "vpdn:tunnel- medium- type=1", Cisco- AVPair += "vpdn:tunnel- type=l2tp" cisco.com Password = "secret" Service- Type = Outbound- User, cisco- avpair = "vpdn:tunnel- id=lac", cisco- avpair = "vpdn:tunnel- type=l2tp", cisco- avpair = "vpdn:ip- addresses= ", cisco- avpair = "vpdn:source- ip= ", Cisco- avpair = vpdn:tunnel- session- limit=1000, 168 of 237

169 cisco- avpair = vpdn:dsl- line- info- forwarding=1" cisco.com Password = "secret" Service- Type = Outbound- User, cisco- avpair = "vpdn:tunnel- id=lac", cisco- avpair = "vpdn:tunnel- type=l2tp", cisco- avpair = "vpdn:tunnel- passsword=password", cisco- avpair = "vpdn:ip- addresses= ", cisco- avpair = "vpdn:source- ip= ", Cisco- avpair = vpdn:tunnel- session- limit=1000, Cisco- avpair = "vpdn:vpn- vrf=vrf_1" 6. Chapter 6, CoA and PoD 6.1.CoA/PoD overview Change of Authorization (CoA)and Pacekt of disconnect (PoD) are both extension to the RADIUS standard, they are depined in RFC 5176 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS). These extension method allow for asynchronous messages to be sent from external component to BNG. In the context of CoA/PoD, the BNG is acting as a CoA server or dynamic authorization server- use the term in RFC 5176, and the external components is acting as a CoA client or dynamic authorization client. Note that a CoA client could be different from the RADIUS servers that are used for subscriber authentication/authorization and accounting. PoD(Also known as DM-disconnect message) and CoA use the same UDP port and share the same packet format, but with different code for request, ACK and NAK respectively, read the RFC for more detail. The prime reason for CoA/PoD on ASR9K BNG is to allow dynamic authorization client to - disconnect a session. 169 of 237

170 - change behavior for a subscriber session that has already been authorized. - send subscriber session credential to a BNG. - trigger the service update which effect to the service definition for the whole BNG rather than a particular session. 6.2.restriction of ASR9K CoA/PoD implementation - One CoA/PoD request can only target to one session. - Before release, one CoA request can only take one action, multiaction CoA is supported from release onwards. - CoA query request is not supported in IOS XR based BNG, although it s supported in IOS based ISG. 6.3.key component in a CoA message A CoA message initiated from a CoA client normally comprise three kinds of key information Session key (mandatory) The presence of session key or session identifier lets the BNG know against what session an action is needed to take. There are several way to identify a session in a CoA/PoD request,one of following attributes of combination of attributes must be present in PoD/CoA request. - acct-session-id (IETF attribute 44) - framed-ip-address (IETF attribute 8) + cisco AVpair vrf-id. vrf-id is not needed when the session is in the default vrf. 170 of 237

171 - User-Name(IETF atttibute 1), with the assumption that the user-name is system-widen unique. If there is duplicated username, the CoA request will be dropped. - framed-ipv6-address or cisco AVpair addrv6 + cisco AVpair vrf-id. vrf-id is not needed when the session is in the default vrf. the framed-ipv6-address must be /128, this attribute only present for a session using DHCPv6 to assign IA-NA to client. - framed-ipv6-prefix + cisco AVpair vrf-id not supported at this release due to CSCun94385, it s in roadmap of release. When the PPPoE client get a V6 prefix via SLACC, this is the right session key to use CoA command(mandatory with some exception) CoA command indicates what action the CoA request want to take. CoA command is present as a Cisco AVpair, 5 kind of CoA command are supported at this moment. Account Logon Account Logon request is sent from a CoA portal to trigger an account-logon event on the BNG. The account-logon event is generally used by as a signal to authenticate a session. The Account Logon request contains the user credentials that were collected at the portal. vsa cisco generic 1 string subscriber:command=account-logon" Account Logoff Account logoff request is sent from a CoA portal to remove a session on the BNG. This can be done for administrative reasons, if the user disconnects from a portal. 171 of 237

172 vsa cisco generic 1 string subscriber:command=account-logoff Service Activate Service Activate request is sent from a CoA portal to activate a service for the identified session. The parameters include the session identification attributes and name of the service that has to be activated on the session. vsa cisco generic 1 string subscriber:command=activate-service" Service Deactivate Service Deactivate request is sent from a CoA portal to deactivate a service on a session. The parameters include the session identification attributes and name of the service that has to be activated on the session. vsa cisco generic 1 string subscriber:command=deactivate-service" Account Update Apart from above listed subscriber commands, BNG supporst conpiguration change CoA requests, these requests will not have a subscriber command but have attributes that change or apply certain conpiguration parameters on the BNG. Even though conpig- change CoA request from the portal won t have subscriber command attribute, CoA module on the BNG will insert the attribute with account- update as the value before handing the request over to command handler for further processing. Lawful Intercept, Parameterized QoS are some know features that will use conpig- change CoA requests. BTW, it works as well if there is a Cisco- avpair= subscriber:command=account- update included in the CoA request RADIUS attributes (optional) RADIUS attributes may be included in some CoA request but not all, indicating what the new attributes need to be applied to a session (in case of account-update) or what is the credential information need to provide to BNG for further authentication ( in case of account-logon). 172 of 237

173 6.3.4.session-BNG address mapping Besides above information carried by the CoA message, an additional thing the CoA client must know is the IP address of the BNG on which the target session is terminated, so that it can use that IP as the destination IP in its IP packet header of CoA request message. In IOS based ISG, PBHK feature is used to translate the source IP of a subscriber to the BNG address but this feature is not supported by IOS XR based BNG implementation. So other ways are needed to enable the CoA client to realise what s the BNG IP address to send CoA request to- either it maintain a database with mapping information between subscriber and it s BNG, or let the http packet reach out to a CoA client to carry the IP address of the according BNG. Freeradius software can work as a CoA client, and another cool CoA client developed by Xander is and its user guide is available here Following example are collected with using Xander s CoA client. 6.4.PoD ( DM) and different session key Here are some examples of PoD, the various Scenarios also explain how to use different session key for PoD ( same to CoA) Example of a failed POD 173 of 237

174 Scenario There is a pppoe session established with acct-session-id 0x e, but we use a wrong acct-session-id (0x d) in the PoD request. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all detail Fri Jul 18 13:45: UTC Interface: Bundle- Ether pppoe14 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Fri Jul 18 13:45: IPv4 Address: , VRF: default Mac Address: 3c07.545f.c041 Account- Session Id: e CoA client command C:\COA\coa_w32.exe>coa_w32.exe - n p d - k cisco , d CoA Client (version 2.6),(c) April- 2012, xander thuijs CCIE#6775 Cisco Systems Int. Using POD with : NAS: ac1258e6 Port: 1700 Secret: cisco123 Timeout: 2 (0 means indefinite wait) POD: NAS did not honour our request (ID 140) ASR9K show/debug display RP/0/RSP0/CPU0:Roy_BNG_1#sh debug Fri Jul 18 13:47: UTC #### debug flags set from tty 'vty0' #### radius basic flag is ON RP/0/RSP0/CPU0:Roy_BNG_1#RP/0/RSP0/CPU0:Jul 18 13:47: : radiusd[1117]: RADIUS: Received from id , POD Request, len 30 RP/0/RSP0/CPU0:Jul 18 13:47: : radiusd[1117]: RADIUS: authenticator 94 E2 DD 9D F7 8C 5A 99 - CD 8F 5D 97 7D CE RP/0/RSP0/CPU0:Jul 18 13:47: : radiusd[1117]: RADIUS: Acct- Session- Id [44] d RP/0/RSP0/CPU0:Jul 18 13:47: : radiusd[1117]: RADIUS: Send Disconnect Nack Response to id 176, len 93 RP/0/RSP0/CPU0:Jul 18 13:47: : radiusd[1117]: RADIUS: authenticator C6 8C DF EA 8D FF F D RP/0/RSP0/CPU0:Jul 18 13:47: : radiusd[1117]: RADIUS: Acct- Session- Id [44] d RP/0/RSP0/CPU0:Jul 18 13:47: : radiusd[1117]: RADIUS: Vendor- Specific [26] 9 RP/0/RSP0/CPU0:Jul 18 13:47: : radiusd[1117]: RADIUS: Dynamic- Author- Error- Cause[101] 6 Session Context Not Found[0] 174 of 237

175 RP/0/RSP0/CPU0:Jul 18 13:47: : radiusd[1117]: RADIUS: Reply- Message [18] 48 No sessions found matching identities provided RP/0/RSP0/CPU0:Jul 18 13:47: : radiusd[1117]: Updating last used server Packet capture from wireshark PoD request packt No. Time Source Destination Protocol Length Info RADIUS 72 Disconnect- Request(40) (id=140, l=30) Frame 5358: 72 bytes on wire (576 bits), 72 bytes captured (576 bits) on interface 0 Ethernet II, Src: Vmware_c3:a0:3a (00:0c:29:c3:a0:3a), Dst: Cisco_3a:d1:f5 (e4:c7:22:3a:d1:f5) Internet Protocol Version 4, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: (31468), Dst Port: mps- raft (1700) Source port: (31468) Destination port: mps- raft (1700) Length: 38 Checksum: 0x1bca [validation disabled] Radius Protocol Code: Disconnect- Request (40) Packet identifier: 0x8c (140) Length: 30 Authenticator: 38d643fb4b291c2499d8bc789f [The response to this request is in frame 5359] Attribute Value Pairs AVP: l=10 t=acct- Session- Id(44): d PoD NAK packet No. Time Source Destination Protocol Length Info RADIUS 135 Disconnect- NAK(42) (id=140, l=93) Frame 5359: 135 bytes on wire (1080 bits), 135 bytes captured (1080 bits) on interface 0 Ethernet II, Src: Cisco_3a:d1:f5 (e4:c7:22:3a:d1:f5), Dst: Vmware_c3:a0:3a (00:0c:29:c3:a0:3a) Internet Protocol Version 4, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: mps- raft (1700), Dst Port: (31468) Source port: mps- raft (1700) Destination port: (31468) Length: 101 Checksum: 0xdaea [validation disabled] Radius Protocol Code: Disconnect- NAK (42) Packet identifier: 0x8c (140) Length: 93 Authenticator: 4eed8a0c9ffbe62602fb07d98bac1e9f [This is a response to a request in frame 5358] [Time from request: seconds] Attribute Value Pairs AVP: l=10 t=acct- Session- Id(44): d Acct- Session- Id: d AVP: l=9 t=vendor- Specific(26) v=ciscosystems(9) VSA: l=3 t=cisco- Command- Code(252): X Cisco- Command- Code: X AVP: l=6 t=error- Cause(101): Session- Context- Not- Found(503) Error- Cause: Session- Context- Not- Found (503) AVP: l=48 t=reply- Message(18): No sessions found matching identities provided Reply- Message: No sessions found matching identities provided 175 of 237

176 Note - Acct-session-id here is used as a session key and it s the only attribute needed in the CoA request in this case. alternatively, you can use framed-ipaddress plus AVpair vrf-id as session key. - Note this is a PoD (code 40), rather than a CoA request, although CoA account-logoff command can also be used to disconnect a session. - When BNG fails to take the action requested by the PoD, IETF attribute Erroe-Cause (101) and reply-message (18) are included in the PoD NAK message to inform the CoA client the reason of failure. the string in those two attributes are predefined in the code, not configurable Example of PoD using acct-session-id as session key Scenario There is a pppoe session established with acct-session-id 0x e, a PoD request with correct acct-session-id is sent to BNG to disconnect the session. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all detail Fri Jul 18 13:45: UTC Interface: Bundle- Ether pppoe14 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Fri Jul 18 13:45: IPv4 Address: , VRF: default Mac Address: 3c07.545f.c041 Account- Session Id: e CoA client command C:\COA\coa_w32.exe>coa_w32.exe - n p d - k cisco , e Using POD with : NAS: ac1258e6 Port: 1700 Secret: cisco123 Timeout: 2 (0 means indefinite wait) POD: Request was accepted (ID 196) CoA Client (version 2.6),(c) April- 2012, xander thuijs CCIE#6775 Cisco Systems Int. 176 of 237

177 ASR9K show/debug display RP/0/RSP0/CPU0:Roy_BNG_1#RP/0/RSP0/CPU0:Jul 18 14:08: : radiusd[1117]: RADIUS: Received from id , POD Request, len 30 RP/0/RSP0/CPU0:Jul 18 14:08: : radiusd[1117]: RADIUS: authenticator 81 9A B 77 C3 E9 - E F 61 3C 82 RP/0/RSP0/CPU0:Jul 18 14:08: : radiusd[1117]: RADIUS: Acct- Session- Id [44] e RP/0/RSP0/CPU0:Jul 18 14:08: : radiusd[1117]: RADIUS: Send Disconnect Ack Response to id 196, len 20 RP/0/RSP0/CPU0:Jul 18 14:08: : radiusd[1117]: RADIUS: authenticator 58 3A C7 9F D3 12-3B D DF B6 RP/0/RSP0/CPU0:Jul 18 14:08: : radiusd[1117]: Updating last used server RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber manager disconnect- history unique Fri Jul 18 14:14: UTC Location: 0/RSP0/CPU0 [ IEDGE DISCONNECT HISTORY UNIQUE EVENTS ] Disconnect Reason: CoA Session- Disconnect Disconnect Cause: AAA_DISC_CAUSE_SESSION_DISC (1) Abort Cause: AAA_AV_ABORT_CAUSE_RADIUS_DISC (51) Terminate Cause: AAA_AV_TERMINATE_CAUSE_ADMIN_RESET (6) Disconnect Count: 3 Last Time Disconnected: 2014:07:18 14:08:27 Client: Last Subscriber Label: Last Interface: [ Last Session Info ] [iedge internal] 0x d BE pppoe14 Interface: Unknown Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Fri Jul 18 13:45: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {PPP} IPv4 Up requestors: 0x {PPP} IPv6 State: Down, Fri Jul 18 13:45: Mac Address: 3c07.545f.c041 Account- Session Id: e Nas- Port: User name: PPP3@S99 Outer VLAN ID: 101 Inner VLAN ID: 99 Subscriber Label: 0x d Created: Fri Jul 18 13:45: State: Activated Authentication: authenticated Authorization: unauthorized Ifhandle: 0x000016e0 Session History ID: 1 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Fri Jul 18 13:45: ] 177 of 237

178 class type control subscriber S99_PTA do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_LCP [cerr: No error][aaa: Success] event Session- Activate match- first [at Fri Jul 18 13:45: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 authenticate aaa list S99_AAA_list [cerr: No error][aaa: Success] 20 activate dynamic- template DOWNLOADING_SERVICE_1 aaa list S99_AAA_list [cerr: No error][aaa: Success] 30 activate dynamic- template S99_DT_PTA_MIN [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request: Fri Jul 18 14:08: COA Request Attribute List: 0x50100ea8 1: command len= 19 value= session- disconnect < there is no any AVpair= Command=session- disconnct included in the PoD request, the reason you find this line displayed here is that this is the internal AAA attributes rather than a radius attribute, when a PoD request is received, AAA code interpret it as there is a AAA attribute of command = session- disconnect, debug aaa- subs all can show you what happened. Last COA response: Result NACK CoA response Attribute List: None User Profile received from AAA: Attribute List: 0x501010b8 1: service- type len= 4 value= Framed Services: Name : S99_DT_LCP Service- ID : 0x400003e Type : Template Status : Applied Name : S99_SERVICE_2 Service- ID : 0x400002a Type : Multi Template Status : Applied Name : DOWNLOADING_SERVICE_1 Service- ID : 0x Type : Profile Status : Applied Name : S99_DT_PTA_MIN Service- ID : 0x400005a Type : Template Status : Applied [Last IPv6 down] Disconnect Reason: Disconnect Cause: AAA_DISC_CAUSE_SESSION_DISC (1) Abort Cause: AAA_AV_ABORT_CAUSE_NO_REASON (0) Terminate Cause: AAA_AV_TERMINATE_CAUSE_NONE (0) Disconnect called by: [iedge internal] [Event History] Jul 18 13:45: SUBDB produce done [many] Jul 18 13:45: IPv4 Up Jul 18 14:08: CoA request Packet capture from wireshark PoD request packet 178 of 237

179 No. Time Source Destination Protocol Length Info RADIUS 72 Disconnect- Request(40) (id=196, l=30) Frame 6304: 72 bytes on wire (576 bits), 72 bytes captured (576 bits) on interface 0 Ethernet II, Src: Vmware_c3:a0:3a (00:0c:29:c3:a0:3a), Dst: Cisco_3a:d1:f5 (e4:c7:22:3a:d1:f5) Internet Protocol Version 4, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: (30048), Dst Port: mps- raft (1700) Source port: (30048) Destination port: mps- raft (1700) Length: 38 Checksum: 0xf75a [validation disabled] Radius Protocol Code: Disconnect- Request (40) Packet identifier: 0xc4 (196) Length: 30 Authenticator: 819a44254b77c3e9e f613c82 [The response to this request is in frame 6307] Attribute Value Pairs AVP: l=10 t=acct- Session- Id(44): e Acct- Session- Id: e PoD ACK packet No. Time Source Destination Protocol Length Info RADIUS 62 Disconnect- ACK(41) (id=196, l=20) Frame 6307: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0 Ethernet II, Src: Cisco_3a:d1:f5 (e4:c7:22:3a:d1:f5), Dst: Vmware_c3:a0:3a (00:0c:29:c3:a0:3a) Internet Protocol Version 4, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: mps- raft (1700), Dst Port: (30048) Source port: mps- raft (1700) Destination port: (30048) Length: 28 Checksum: 0xf442 [validation disabled] Radius Protocol Code: Disconnect- ACK (41) Packet identifier: 0xc4 (196) Length: 20 Authenticator: 583ac79f6111d3123bd dfb6 [This is a response to a request in frame 6304] [Time from request: seconds] Note - there is not any attributes included in a PoD ACK message Example of PoD using framed-ip-address as session Scenario key 179 of 237

180 Use IETF attribute framed-ip-address (8) as session key to send PoD to disconnect a session. CoA client command C:\COA\coa_w32.exe>coa_w32.exe - n p d - k cisco ,IP CoA Client (version 2.6),(c) April- 2012, xander thuijs CCIE#6775 Cisco Systems Int. Using POD with : NAS: ac1258e6 Port: 1700 Secret: cisco123 Timeout: 2 (0 means indefinite wait) POD: Request was accepted (ID 5) C:\COA\coa_w32.exe> ASR9K debug/show display RP/0/RSP0/CPU0:Roy_BNG_1#sh debug Fri Jul 18 15:00: UTC #### debug flags set from tty 'vty0' #### radius basic flag is ON aaabase all flag is ON RP/0/RSP0/CPU0:Roy_BNG_1#RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: RADIUS: Received from id , POD Request, len 26 RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: RADIUS: authenticator 54 CB DD AA 3D 7F CE FE E1 02 6C RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: RADIUS: Framed- IP- Address [8] RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_alloc:allocated aaa base req structure 5013cd5c, 5005f17c RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_request_init: Setting the req param for req type RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_set_context: Setting the context structure for the aaa req RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_set_callback: Setting the callback function for the req RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_add_attr_list: Setting the attribute list for the req RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:client] Attribute List - - 1: addr len= 4 svc<0> prot<0> tag<0> mand<0> client<0x0> : co RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_send: Sending the req request from Client to Server RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_api: AAA Base Server Pulse handler- Received 10 msg type RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: FSM State: INIT Event:20 RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Added req in hash table id 28 RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: First Server group selected RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:generic] Attribute List: 0x5005f2d0 RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:generic] 1: addr len= 4 svc<0> prot<0> tag<0> mand<0> client<0x0> RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:generic] 2: command len= 18 svc<0> prot<38> tag<0> mand<1> client<0x0>session- disconnect 180 of 237

181 RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_marshall_aaa_base_req_request_parameters: Marshalling req Message type 10 Application id 1 RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_send: sent msg ipc_send passed buf_len: 128 RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_handle_protocol_base_msg: Received IPC message Type 10 App type 1 id 28 RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:client] aaa_base_req_alloc:allocated aaa base req structure 50c876a4, 50d60e8c RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:generic] Attribute List: 0x50c87be4 RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:generic] 1: addr len= 4 svc<0> prot<0> tag<0> mand<0> client<0x0> RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:generic] 2: command len= 18 svc<0> prot<38> tag<0> mand<1> client<0x0>session- disconnect RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: FSM State: INIT Event:22 RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:aaa Base Client Handler... RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:calling client call back function RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:fsm] aaa_base_handle_aaa_msg: Invoking call back function for app type 1 RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_client_handler client context: ec94e9dc RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_client_handler: IPC_NOTIFY_SENDSTATUS ipc_release_buffer success msg_len= 128 RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:client] aaa_base_req_add_attr_list: Setting the attribute list for the req RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:client] Attribute List - - RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_api: AAA Base Server Pulse handler- Received 11 msg type RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_g_received: FSM State: G RECEIVED Event:21 RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:generic] Attribute List: 0x50c87be4 RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_send: sent msg ipc_send passed buf_len: 37 RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:client] aaa_base_req_free: Freeing the aaa base req structure 50c876a4, 50d60e8c RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_handle_aaa_base_msg: Received IPC message Type 11 App type 1 RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:error] aaa_base_aipc_handle_aaa_base_msg: req_handle is successfully removed from hash table. id 28 RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:generic] Attribute List: 0x5005f2d0 RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_g_sent: FSM State: G SENT Event:23 RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_g_sent: Received PASS status RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:aaa Base Client Handler... RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:calling client call back function RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_free: Freeing the aaa base req structure 5013cd5c, 5005f17c RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: RADIUS: Send Disconnect Ack Response to id 5, len 20 RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: RADIUS: authenticator 52 E1 7F 9E 4E F - 6B RP/0/RSP0/CPU0:Jul 18 14:57: : radiusd[1117]: Updating last used server RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_client_handler client context: ec94e9dc RP/0/RSP0/CPU0:Jul 18 14:57: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_client_handler: IPC_NOTIFY_SENDSTATUS ipc_release_buffer success msg_len= 37 Packet capture from Wireshark PoD request packet No. Time Source Destination Protocol Length Info 181 of 237

182 RADIUS 68 Disconnect- Request(40) (id=5, l=26) Frame 8418: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0 Ethernet II, Src: Vmware_c3:a0:3a (00:0c:29:c3:a0:3a), Dst: Cisco_3a:d1:f5 (e4:c7:22:3a:d1:f5) Internet Protocol Version 4, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: (30337), Dst Port: mps- raft (1700) Source port: (30337) Destination port: mps- raft (1700) Length: 34 Checksum: 0xc3c0 [validation disabled] Radius Protocol Code: Disconnect- Request (40) Packet identifier: 0x5 (5) Length: 26 Authenticator: 54cbddaa3d7f418066cefe1307e1026c [The response to this request is in frame 8421] Attribute Value Pairs AVP: l=6 t=framed- IP- Address(8): Example of PoD using framed-ip-address plus AVPair Scenario vrf-id as session key when the session is in a non-default vrf, Use IETF attribute framed-ip-address (8) plus cisco AVpair vrf-id as session key to send PoD to disconnect a session. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de Fri Jul 18 15:42: UTC Interface: Bundle- Ether pppoe17 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Fri Jul 18 15:42: IPv4 Address: , VRF: S99_VRF Mac Address: 3c07.545f.c041 Account- Session Id: CoA client command C:\COA\coa_w32.exe>coa_w32.exe - n p d - k cisco ,IP ,9,1,"vrf- id=s99_vrf" Using POD with : NAS: ac1258e6 Port: 1700 Secret: cisco123 Timeout: 2 (0 means indefinite wait) CoA Client (version 2.6),(c) April- 2012, xander thuijs CCIE#6775 Cisco Systems Int. 182 of 237

183 POD: Request was accepted (ID 80) ASR9K debug/show display #### debug flags set from tty 'vty0' #### radius basic flag is ON aaabase all flag is ON RP/0/RSP0/CPU0:Roy_BNG_1#ter moni Fri Jul 18 15:43: UTC RP/0/RSP0/CPU0:Roy_BNG_1#RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: RADIUS: Received from id , POD Request, len 48 RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: RADIUS: authenticator 08 F4 EF F A D6 81 5B RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: RADIUS: Framed- IP- Address [8] RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: RADIUS: Vendor- Specific [26] 22 RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: vrfnametoidlookup for vrf S99_VRF - No error RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_request_init: Setting the req param for req type RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_set_context: Setting the context structure for the aaa req RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_set_callback: Setting the callback function for the req RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_add_attr_list: Setting the attribute list for the req RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_alloc:allocated aaa base req structure 5013cd5c, 5005f17c RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:client] Attribute List - - 1: addr len= 4 svc<0> prot<0> tag<0> mand<0> client<0x0> : vrf RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_send: Sending the req request from Client to Server RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: FSM State: INIT Event:20 RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Added req in hash table id 30 RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: First Server group selected RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:generic] Attribute List: 0x5005f2d0 RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_api: AAA Base Server Pulse handler- Received 10 msg type RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:generic] 1: addr len= 4 svc<0> prot<0> tag<0> mand<0> client<0x0> RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:generic] 2: vrf- id len= 4 svc<0> prot<0> tag<0> mand<1> client<0x0> ( ) RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:generic] 4: command len= 18 svc<0> prot<38> tag<0> mand<1> client<0x0>session- disconnect RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_marshall_aaa_base_req_request_parameters: Marshalling req Message type 10 Application id 1 RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:generic] 3: ip- vrf len= 7 svc<0> prot<0> tag<0> mand<1> client<0x0>s99_vrf RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_handle_protocol_base_msg: Received IPC message Type 10 App type 1 id 30 RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:client] aaa_base_req_alloc:allocated aaa base req structure 50c876a4, 50d60e8c RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_send: sent msg ipc_send passed buf_len: 172 RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:generic] 1: addr len= 4 svc<0> prot<0> tag<0> mand<0> client<0x0> RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:generic] 2: vrf- id len= 4 svc<0> prot<0> tag<0> mand<1> client<0x0> ( ) RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:generic] 3: ip- vrf len= 7 svc<0> prot<0> tag<0> mand<1> client<0x0>s99_vrf RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:generic] Attribute List: 0x50c87be4 RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:generic] 4: command len= 18 svc<0> prot<38> tag<0> mand<1> client<0x0>session- disconnect RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: FSM State: INIT Event:22 RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:aaa Base Client Handler of 237

184 RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:calling client call back function RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:fsm] aaa_base_handle_aaa_msg: Invoking call back function for app type 1 RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_client_handler client context: ec94e9dc RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_client_handler: IPC_NOTIFY_SENDSTATUS ipc_release_buffer success msg_len= 172 RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:client] aaa_base_req_add_attr_list: Setting the attribute list for the req RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:client] Attribute List - - RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_api: AAA Base Server Pulse handler- Received 11 msg type RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_g_received: FSM State: G RECEIVED Event:21 RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:generic] Attribute List: 0x50c87be4 RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_send: sent msg ipc_send passed buf_len: 37 RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:client] aaa_base_req_free: Freeing the aaa base req structure 50c876a4, 50d60e8c RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_handle_aaa_base_msg: Received IPC message Type 11 App type 1 RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:error] aaa_base_aipc_handle_aaa_base_msg: req_handle is successfully removed from hash table. id 30 RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:generic] Attribute List: 0x5005f2d0 RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_g_sent: FSM State: G SENT Event:23 RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_g_sent: Received PASS status RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:aaa Base Client Handler... RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:calling client call back function RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_free: Freeing the aaa base req structure 5013cd5c, 5005f17c RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: RADIUS: Send Disconnect Ack Response to id 180, len 20 RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: RADIUS: authenticator D 88 6E 3A 3A 3B - 26 B0 9A D4 0A 68 C5 5B RP/0/RSP0/CPU0:Jul 18 15:43: : radiusd[1117]: Updating last used server RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_client_handler client context: ec94e9dc RP/0/RSP0/CPU0:Jul 18 15:43: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_client_handler: IPC_NOTIFY_SENDSTATUS ipc_release_buffer success msg_len= 37 Packet capture from Wireshark PoD request packet No. Time Source Destination Protocol Length Info RADIUS 90 Disconnect- Request(40) (id=180, l=48) Frame 10199: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface 0 Ethernet II, Src: Vmware_c3:a0:3a (00:0c:29:c3:a0:3a), Dst: Cisco_3a:d1:f5 (e4:c7:22:3a:d1:f5) Internet Protocol Version 4, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: (30768), Dst Port: mps- raft (1700) Source port: (30768) Destination port: mps- raft (1700) Length: 56 Checksum: 0x401a [validation disabled] Radius Protocol Code: Disconnect- Request (40) Packet identifier: 0xb4 (180) Length: 48 Authenticator: 08f4ef f ad6815b7868 [The response to this request is in frame 10202] Attribute Value Pairs AVP: l=6 t=framed- IP- Address(8): of 237

185 Note AVP: l=22 t=vendor- Specific(26) v=ciscosystems(9) VSA: l=16 t=cisco- AVPair(1): vrf- id=s99_vrf -The reason that VRF is needed is to handle the situation with IP address overlapping among VRFs. -When the session is in default vrf, no need to include vrf-id -When use acct-session-id as session key, even the session is in a non-default vrf, the vrf-id is not needed since the acct-session-id is a system-widen unique value. -vrf-id + framed-ip-address as session key even works for a dual stack session Example of PoD using username as session key Scenario Use IETF attribute User-Name (1) as session key to send PoD to disconnect a session -even a dual stack session. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber ses all de Fri Jul 18 16:15: UTC Interface: Bundle- Ether pppoe18 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Fri Jul 18 15:54: IPv4 Address: , VRF: default IPv6 State: Up, Fri Jul 18 15:54: Framed IPv6 Prefix: 20:1:1::/64, VRF: default IPv6 Interface ID: >.T.._.A (3e ff fe 5f c0 41) Mac Address: 3c07.545f.c041 Account- Session Id: Nas- Port: User name: V6PPP4@S99 CoA client command C:\COA\coa_w32.exe>coa_w32.exe - n p d - k cisco ,V6PP P4@S99 CoA Client (version 2.6),(c) April- 2012, xander thuijs CCIE#6775 Cisco Systems Int. Using POD with : NAS: ac1258e6 Port: of 237

186 Secret: cisco123 Timeout: 2 (0 means indefinite wait) POD: Request was accepted (ID 242) ASR9K debug/show display RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: RADIUS: Received from id , POD Request, len 32 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: RADIUS: authenticator 80 5D 63 EF E5 97 A3 CC - E6 4F E9 0C AD 1F D7 93 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_alloc:allocated aaa base req structure , 50147dd8 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: RADIUS: User- Name [1] 12 V6PPP4@S99 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_request_init: Setting the req param for req type RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_set_context: Setting the context structure for the aaa req RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_set_callback: Setting the callback function for the req RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_add_attr_list: Setting the attribute list for the req RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:client] Attribute List - - 1: username len= 10 svc<0> prot<0> tag<0> mand<0> client<0x0>v6ppp4@s99 2: c RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_send: Sending the req request from Client to Server RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_api: AAA Base Server Pulse handler- Received 10 msg type RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: FSM State: INIT Event:20 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Added req in hash table id 3 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: First Server group selected RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:generic] Attribute List: 0x50147f2c RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:generic] 1: username len= 10 svc<0> prot<0> tag<0> mand<0> client<0x0>v6ppp4@s99 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:generic] 2: command len= 18 svc<0> prot<38> tag<0> mand<1> client<0x0>session- disconnect RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_marshall_aaa_base_req_request_parameters: Marshalling req Message type 10 Application id 1 RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_handle_protocol_base_msg: Received IPC message Type 10 App type 1 id 3 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_send: sent msg ipc_send passed buf_len: 135 RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:generic] Attribute List: 0x50c89534 RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:generic] 1: username len= 10 svc<0> prot<0> tag<0> mand<0> client<0x0>v6ppp4@s99 RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:generic] 2: command len= 18 svc<0> prot<38> tag<0> mand<1> client<0x0>session- disconnect RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: FSM State: INIT Event:22 RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:aaa Base Client Handler... RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:calling client call back function RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:client] aaa_base_req_alloc:allocated aaa base req structure 50adc308, 50d80e80 RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:fsm] aaa_base_handle_aaa_msg: Invoking call back function for app type 1 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_client_handler client context: ec94e9dc RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_client_handler: IPC_NOTIFY_SENDSTATUS ipc_release_buffer success msg_len= 135 RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:client] aaa_base_req_add_attr_list: Setting the attribute list for the req RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:client] Attribute List - - RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_api: AAA Base Server Pulse handler- Received 11 msg type 186 of 237

187 RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_g_received: FSM State: G RECEIVED Event:21 RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:generic] Attribute List: 0x50c89534 RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:client] aaa_base_req_free: Freeing the aaa base req structure 50adc308, 50d80e80 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_handle_aaa_base_msg: Received IPC message Type 11 App type 1 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:error] aaa_base_aipc_handle_aaa_base_msg: req_handle is successfully removed from hash table. id 3 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:generic] Attribute List: 0x RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_g_sent: FSM State: G SENT Event:23 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_g_sent: Received PASS status RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:aaa Base Client Handler... RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:calling client call back function RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_free: Freeing the aaa base req structure , 50147dd8 RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_send: sent msg ipc_send passed buf_len: 37 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: RADIUS: authenticator DE D6 0D AB - C0 83 6C CD 9A B6 6A CA RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: RADIUS: Send Disconnect Ack Response to id 242, len 20 RP/0/RSP0/CPU0:Jul 18 16:17: : radiusd[1117]: Updating last used server RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_client_handler client context: ec94e9dc RP/0/RSP0/CPU0:Jul 18 16:17: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_client_handler: IPC_NOTIFY_SENDSTATUS ipc_release_buffer success msg_len= 37 Packet capture from Wireshark PoD request packet No. Time Source Destination Protocol Length Info RADIUS 74 Disconnect- Request(40) (id=242, l=32) Frame 11895: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface 0 Ethernet II, Src: Vmware_c3:a0:3a (00:0c:29:c3:a0:3a), Dst: Cisco_3a:d1:f5 (e4:c7:22:3a:d1:f5) Internet Protocol Version 4, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: (31347), Dst Port: mps- raft (1700) Source port: (31347) Destination port: mps- raft (1700) Length: 40 Checksum: 0x1875 [validation disabled] Radius Protocol Code: Disconnect- Request (40) Packet identifier: 0xf2 (242) Length: 32 Authenticator: 805d63efe597a3cce64fe90cad1fd793 [The response to this request is in frame 11899] Attribute Value Pairs AVP: l=12 t=user- Name(1): V6PPP4@S99 Note -It works for both V4 and V6 session and Dual stack session. -No matter what vrf the session is in, no need to include vrf-id 187 of 237

188 -Be aware of the risk that in some deployment user-name is not unique system widen, in this case a PoD/CoA with user-name as session key will not be processed and NAK will be sent to the client, see following example. RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber session all username Fri Jul 18 16:32: UTC Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated, ID - Idle, DN - Disconnecting, ED - End Type Interface State User name PPPoE:PTA BE pppoe20 AC PPP6@S99 PPPoE:PTA BE pppoe21 AC PPP6@S99 RP/0/RSP0/CPU0:Roy_BNG_1#debug radius Fri Jul 18 16:34: UTC RP/0/RSP0/CPU0:Roy_BNG_1#RP/0/RSP0/CPU0:Jul 18 16:34: : radiusd[1117]: RADIUS: Received from id , POD Request, len 30 RP/0/RSP0/CPU0:Jul 18 16:34: : radiusd[1117]: RADIUS: authenticator 1F D4 9C E7 00 B0 AE D8-6C 71 FD D7 D3 9C RP/0/RSP0/CPU0:Jul 18 16:34: : radiusd[1117]: RADIUS: User- Name [1] 10 PPP6@S99 RP/0/RSP0/CPU0:Jul 18 16:34: : radiusd[1117]: RADIUS: Send Disconnect Nack Response to id 150, len 99 RP/0/RSP0/CPU0:Jul 18 16:34: : radiusd[1117]: RADIUS: authenticator 5F D F A1 48 5B D9 E7 37 RP/0/RSP0/CPU0:Jul 18 16:34: : radiusd[1117]: RADIUS: User- Name [1] 10 PPP6@S99 RP/0/RSP0/CPU0:Jul 18 16:34: : radiusd[1117]: RADIUS: Vendor- Specific [26] 9 RP/0/RSP0/CPU0:Jul 18 16:34: : radiusd[1117]: RADIUS: Dynamic- Author- Error- Cause[101] 6 Session Context Not Found[0] RP/0/RSP0/CPU0:Jul 18 16:34: : radiusd[1117]: RADIUS: Reply- Message [18] 54 Multiple sessions found matching identities provided RP/0/RSP0/CPU0:Jul 18 16:34: : radiusd[1117]: Updating last used server RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber session all username Fri Jul 18 16:34: UTC Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated, ID - Idle, DN - Disconnecting, ED - End Type Interface State User name PPPoE:PTA BE pppoe20 AC PPP6@S99 PPPoE:PTA BE pppoe21 AC PPP6@S99 RP/0/RSP0/CPU0:Roy_BNG_1# 188 of 237

189 6.5.Account-logoff Here are some examples of CoA account- logoff, BNG disconnect a session on the reception of a CoA account- logoff request as it does on the reception of a PoD request Example of basic CoA account-logoff Scenario There is a pppoe session established with acct-session-id 0x and use cisco AVPair command=account-logoff to disconnect it, watching the difference comparing to PoD. Note, no event of account-logoff is configured in the configure of the control policy. policy- map type control subscriber S99_CP_PTA_SERVICE_DOWNLOAD event session- start match- first class type control subscriber S99_PTA do- until- failure 10 activate dynamic- template S99_DT_LCP event session- activate match- first class type control subscriber S99_PTA do- until- failure 10 authenticate aaa list S99_AAA_list 20 activate dynamic- template DOWNLOADING_SERVICE_1 aaa list S99_AAA_list 30 activate dynamic- template S99_DT_PTA_MIN CoA client command C:\COA\coa_w32.exe>coa_w32.exe - n p k cisco , ,9,1,"command=account- logoff" CoA Client (version 2.6),(c) April- 2012, xander thuijs CCIE#6775 Cisco Systems Int. Using COA with : NAS: ac1258e6 Port: 1700 Secret: cisco123 Timeout: 2 (0 means indefinite wait) CoA: Request was accepted (ID 1) ASR9K show/debug display RP/0/RSP0/CPU0:Roy_BNG_1#RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: RADIUS: Received from id , CoA Request, len 60 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: RADIUS: authenticator 5D FA A B1 14 C6 0E 41 C6 CB E2 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: RADIUS: Acct- Session- Id [44] of 237

190 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: RADIUS: Vendor- Specific [26] 30 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_alloc:allocated aaa base req structure 5013cdb4, 5013ab58 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_request_init: Setting the req param for req type RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_set_context: Setting the context structure for the aaa req RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_set_callback: Setting the callback function for the req RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_add_attr_list: Setting the attribute list for the req RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:client] Attribute List - - 1: string- session- id len= 8 svc<0> prot<0> tag<0> mand<0> client<0x0> : c RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_send: Sending the req request from Client to Server RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_api: AAA Base Server Pulse handler- Received 10 msg type RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: FSM State: INIT Event:20 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: Added req in hash table id 5 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: First Server group selected RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:generic] Attribute List: 0x5013acac RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:generic] 1: string- session- id len= 8 svc<0> prot<0> tag<0> mand<0> client<0x0> RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:generic] 2: command len= 14 svc<0> prot<0> tag<0> mand<1> client<0x0>account- logoff RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_marshall_aaa_base_req_request_parameters: Marshalling req Message type 10 Application id 1 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_send: sent msg ipc_send passed buf_len: 129 RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_handle_protocol_base_msg: Received IPC message Type 10 App type 1 id 5 RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:client] aaa_base_req_alloc:allocated aaa base req structure 50d564fc, 50dace4c RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:generic] Attribute List: 0x50d2a134 RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:generic] 1: string- session- id len= 8 svc<0> prot<0> tag<0> mand<0> client<0x0> RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:generic] 2: command len= 14 svc<0> prot<0> tag<0> mand<1> client<0x0>account- logoff RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_init: FSM State: INIT Event:22 RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:aaa Base Client Handler... RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:calling client call back function RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:fsm] aaa_base_handle_aaa_msg: Invoking call back function for app type 1 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_client_handler client context: ec7139dc RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_client_handler: IPC_NOTIFY_SENDSTATUS ipc_release_buffer success msg_len= 129 RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:client] aaa_base_req_add_attr_list: Setting the attribute list for the req 190 of 237

191 RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:client] Attribute List - - RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_g_received: FSM State: G RECEIVED Event:21 RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:generic] Attribute List: 0x50d2a134 RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_send: sent msg ipc_send passed buf_len: 37 RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:client] aaa_base_req_free: Freeing the aaa base req structure 50d564fc, 50dace4c RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:generic] aaa_base_aipc_handle_aaa_base_msg: Received IPC message Type 11 App type 1 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:error] aaa_base_aipc_handle_aaa_base_msg: req_handle is successfully removed from hash table. id 5 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:generic] Attribute List: 0x5013a948 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_g_sent: FSM State: G SENT Event:23 RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:generic] aaa_base_handle_aaa_api: AAA Base Server Pulse handler- Received 11 msg type RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:fsm] aaa_base_req_handle_fsm_state_g_sent: Received PASS status RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:aaa Base Client Handler... RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:generic] aaa_base_handle_aaa_msg:calling client call back function RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: [AAA_BASE:client] aaa_base_req_free: Freeing the aaa base req structure 5013cdb4, 5013ab58 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: RADIUS: Send CoA Ack Response to id 1, len 20 RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: RADIUS: authenticator FB 9F 14 C3 20 C7 98 C0 - E3 6E 32 E9 20 CD RP/0/RSP0/CPU0:Jul 21 14:42: : radiusd[1117]: Updating last used server RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_client_handler client context: ec7139dc RP/0/RSP0/CPU0:Jul 21 14:42: : iedged[246]: [AAA_BASE:generic] aaa_base_aipc_client_handler: IPC_NOTIFY_SENDSTATUS ipc_release_buffer success msg_len= 37 RP/0/RSP0/CPU0:Roy_BNG_1#sh debug Mon Jul 21 14:43: UTC #### debug flags set from tty 'vty0' #### radius basic flag is ON aaabase all flag is ON RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber manager disconnect- history unique summary Mon Jul 21 14:49: UTC [ IEDGE DISCONNECT HISTORY UNIQUE EVENTS ] Location: 0/RSP0/CPU0 Count Last Interface Last Time Disconnected Disconnect reason ===== ============== ====================== ================= 1 BE pppoe1 2014:07:21 14:42:33 Subscriber disconnect on Account- Logoff policy event, DC: 3 AC: 52 TC: 191 of 237

192 Location: 0/0/CPU0 Location: 0/RSP0/CPU0 RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber manager disconnect- history unique Mon Jul 21 14:49: UTC [ IEDGE DISCONNECT HISTORY UNIQUE EVENTS ] Disconnect Reason: Disconnect Cause: AAA_DISC_CAUSE_ACC_LOGOFF (3) Abort Cause: AAA_AV_ABORT_CAUSE_LOCAL_ADMIN_DISC (52) Terminate Cause: AAA_AV_TERMINATE_CAUSE_ADMIN_RESET (6) Disconnect Count: 1 Last Time Disconnected: 2014:07:21 14:42:33 Client: Last Subscriber Label: Last Interface: [ Last Session Info ] Subscriber disconnect on Account- Logoff policy event [iedge internal] 0x BE pppoe1 Interface: Unknown Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Mon Jul 21 14:30: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {PPP} IPv4 Up requestors: 0x {PPP} IPv6 State: Up, Mon Jul 21 14:30: IPv6 Interface ID: >.T.._.A (3e ff fe 5f c0 41) IPv6 Up helpers: 0x {PPP,ND} IPv6 Up requestors: 0x {PPP,ND} Mac Address: 3c07.545f.c041 Account- Session Id: Nas- Port: User name: V6PPP9@S99 Outer VLAN ID: 101 Inner VLAN ID: 99 Subscriber Label: 0x Created: Mon Jul 21 14:30: State: Activated Authentication: authenticated Authorization: unauthorized Ifhandle: 0x000013a0 Session History ID: 1 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Mon Jul 21 14:30: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_LCP [cerr: No error][aaa: Success] event Session- Activate match- first [at Mon Jul 21 14:30: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 authenticate aaa list S99_AAA_list [cerr: No error][aaa: Success] 20 activate dynamic- template DOWNLOADING_SERVICE_1 aaa list S99_AAA_list [cerr: No error][aaa: Success] 30 activate dynamic- template S99_DT_PTA_MIN [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request: Mon Jul 21 14:42: of 237

193 COA Request Attribute List: 0x500fe4bc 1: command len= 15 value= account- logoff< different to the PoD Last COA response: Result ACK COA Response Attribute List: 0x500fe6cc User Profile received from AAA: Attribute List: 0x500fe8dc 1: ipv6- enable len= 4 value= 1(1) Services: Name : S99_DT_LCP Service- ID : 0x400003e Type : Template Status : Applied Name : DOWNLOADING_SERVICE_1 Service- ID : 0x Type : Profile Status : Applied Name : S99_DT_PTA_MIN Service- ID : 0x400005b Type : Template Status : Applied [Event History] Jul 21 14:30: SUBDB produce done [many] Jul 21 14:30: IPv4 Up Jul 21 14:30: IPv6 Up [many] Jul 21 14:42: CoA request [many] Location: 0/0/CPU0 Packet capture from wireshark PoD request packt No. Time Source Destination Protocol Length Info RADIUS 102 CoA- Request(43) (id=1, l=60) Frame : 102 bytes on wire (816 bits), 102 bytes captured (816 bits) on interface 0 Ethernet II, Src: Vmware_c3:a0:3a (00:0c:29:c3:a0:3a), Dst: Cisco_3a:d1:f5 (e4:c7:22:3a:d1:f5) Internet Protocol Version 4, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: (30286), Dst Port: mps- raft (1700) Source port: (30286) Destination port: mps- raft (1700) Length: 68 Checksum: 0xe521 [validation disabled] Radius Protocol Code: CoA- Request (43) Packet identifier: 0x1 (1) Length: 60 Authenticator: 5dfa0605a b114c60e41c6cbe2 [The response to this request is in frame ] Attribute Value Pairs AVP: l=10 t=acct- Session- Id(44): Acct- Session- Id: AVP: l=30 t=vendor- Specific(26) v=ciscosystems(9) VSA: l=24 t=cisco- AVPair(1): command=account- logoff 193 of 237

194 CoA ACK packet No. Time Source Destination Protocol Length Info RADIUS 62 CoA- ACK(44) (id=1, l=20) Frame : 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0 Ethernet II, Src: Cisco_3a:d1:f5 (e4:c7:22:3a:d1:f5), Dst: Vmware_c3:a0:3a (00:0c:29:c3:a0:3a) Internet Protocol Version 4, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: mps- raft (1700), Dst Port: (30286) Source port: mps- raft (1700) Destination port: (30286) Length: 28 Checksum: 0x4431 [validation disabled] Radius Protocol Code: CoA- ACK (44) Packet identifier: 0x1 (1) Length: 20 Authenticator: fb9f14c320c798c0e36e32e920cd0783 [This is a response to a request in frame ] [Time from request: seconds] Note - Acct-session-id here is used as a session key, alternatively, you can use framed-ip-address plus AVpair vrf-id as session key or User-Name - the Cisco AVPair command=account-logoff is also included in the CoA request, which is equivalent to subscriber:command=account-logoff. - Note this is a CoA request (code 43), rather than a PoD request. - When an account-logoff command is received, if their is no action configured in a policy-map type control subscriber XXX event accountlogoff, the session will be disconnected immediately Example of CoA account-logoff with explicit actions in control policy Scenario There is a pppoe session established, and there is an event of account-logoff configured with action of activating a service. In this case, when a accountlogoff request is received(same as the request message used in previous scenario), the session is not disconnected, instead, the service is activated as expected, and the session is mark as unauthentiacated. policy- map type control subscriber S99_CP_PTA_SERVICE_DOWNLOAD 194 of 237

195 event session- start match- first class type control subscriber S99_PTA do- until- failure 10 activate dynamic- template S99_DT_LCP event session- activate match- first class type control subscriber S99_PTA do- until- failure 10 authenticate aaa list S99_AAA_list 20 activate dynamic- template DOWNLOADING_SERVICE_1 aaa list S99_AAA_list 30 activate dynamic- template S99_DT_PTA_MIN event account- logoff match- first class type control subscriber S99_PTA do- until- failure 10 activate dynamic- template HTTPRDRT_TPL_1 end- policy- map ASR9K show/debug display RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess all de internal Mon Jul 21 15:08: UTC Interface: Bundle- Ether pppoe2 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Mon Jul 21 15:07: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {PPP} IPv4 Up requestors: 0x {PPP} IPv6 State: Up, Mon Jul 21 15:07: IPv6 Interface ID: >.T.._.A (3e ff fe 5f c0 41) IPv6 Up helpers: 0x {PPP,ND} IPv6 Up requestors: 0x {PPP,ND} Mac Address: 3c07.545f.c041 Account- Session Id: Nas- Port: User name: Outer VLAN ID: 101 Inner VLAN ID: 99 Subscriber Label: 0x Created: Mon Jul 21 15:07: State: Activated Authentication: unauthenticated Authorization: unauthorized Ifhandle: 0x000013e0 Session History ID: 2 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Mon Jul 21 15:07: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_LCP [cerr: No error][aaa: Success] event Session- Activate match- first [at Mon Jul 21 15:07: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 authenticate aaa list S99_AAA_list [cerr: No error][aaa: Success] 20 activate dynamic- template DOWNLOADING_SERVICE_1 aaa list S99_AAA_list [cerr: No error][aaa: Success] 195 of 237

196 30 activate dynamic- template S99_DT_PTA_MIN [cerr: No error][aaa: Success] event Account- Logoff match- first [at Mon Jul 21 15:08: ] class type control subscriber S99_PTA do- until- failure [Succeeded] 10 activate dynamic- template HTTPRDRT_TPL_1 [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request: Mon Jul 21 15:08: COA Request Attribute List: 0x500fa324 1: command len= 15 value= account- logoff Last COA response: Result ACK COA Response Attribute List: 0x500fa534 User Profile received from AAA: Attribute List: 0x500fa744 1: ipv6- enable len= 4 value= 1(1) Services: Name : S99_DT_LCP Service- ID : 0x400003e Type : Template Status : Applied Name : DOWNLOADING_SERVICE_1 Service- ID : 0x Type : Profile Status : Applied Name : S99_DT_PTA_MIN Service- ID : 0x400005b Type : Template Status : Applied Name : HTTPRDRT_TPL_1 Service- ID : 0x400002c Type : Template Status : Applied [Event History] Jul 21 15:07: IPv4 Up Jul 21 15:07: IPv6 Up [many] Jul 21 15:08: CoA request Jul 21 15:08: SUBDB produce done [many] 6.6.Account-logon The subscriber credential information input by subscriber on a Web Portal can be pushed to a BNG using CoA request with account- logon command. Normally, a HTTP- redirect policy could be use to redirect the subscriber s http request to the web- portal to prompt him/her to input the username/password. Please be noted that the username is carried in the IETF attribute User- Name, and password is not carried in IETF attribute Password, instead, Cisco VSA 249 ( not a cisco AVPair, the code is 26,9,249) cisco- subscriber- password is used with encryption. 196 of 237

197 6.6.1.Example of TAL + CoA account-logon Scenario This is a example deployed in real network to provide TAL+Portal based web- logon using CoA Account- logon request to SP- WIFI subscriber. When the FSOL (dhcp discover) arrive at ASR9K BNG, a IPoE session is triggered to establish and TAL using source MAC is conducted. If the TAL fails, a timer is set to 3 minutes and the session could live with unauthenticated state before the timer Pires. HTTP redirect policy is enabled to redirect the subscriber s http request to a web portal for username/password input. The username and password will be pushed to BNG using CoA message with command account- logon. On receipt of the CoA message, BNG will do authentication using the provided username/password to RADIUS server, and deactivate the HTTP- R policy. The Portal used in following example is a demo version portal application with CoA client functionality. aaa attribute format MAC_USERNAME mac-address dhcp ipv4 profile S99_SERVER_PROFILE server lease pool S99_POOL_DHCPV4 subnet-mask default-router interface Bundle-Ether server profile S99_SERVER_PROFILE interface Loopback2099 ipv4 address interface Bundle-Ether description student-99 DHCPv4 session ipv4 point-to-point ipv4 unnumbered Loopback2099 service-policy type control subscriber S99_IPoE_TAL_WEBLOGON ipsubscriber ipv4 l2-connected initiator dhcp encapsulation ambiguous dot1q 201 second-dot1q policy-map type control subscriber S99_IPoE_TAL_WEBLOGON event session-start match-first 197 of 237

198 class type control subscriber DHCPv4 do-until-failure 10 activate dynamic-template S99_DT_DHCPV4_MIN 20 authorize aaa list S99_AAA_list format MAC_USERNAME password cisco event authorization-failure match-first class type control subscriber DHCPv4 do-until-failure 10 activate dynamic-template HTTPRDRT_TPL_1 20 set-timer UNAUTH_TMR 3 event account-logon match-first class type control subscriber DHCPv4 do-until-failure 10 authenticate aaa list S99_AAA_list 20 deactivate dynamic-template HTTPRDRT_TPL_1 event timer-expiry match-first class type control subscriber UNAUTH_TMR_CM do-until-failure 10 disconnect end-policy-map class-map type control subscriber match-all UNAUTH_TMR_CM match timer UNAUTH_TMR match authen-status unauthenticated end-class-map class-map type control subscriber match-any DHCPv4 match protocol dhcpv4 end-class-map dynamic-template type ipsubscriber S99_DT_DHCPV4_MIN ipv4 unnumbered Loopback2099 type service HTTPRDRT_TPL_1 service-policy type pbr HTTPRDRT_PBR_1 policy-map type pbr HTTPRDRT_PBR_1 class type traffic Portal transmit class type traffic HTTPRDRT http-redirect class type traffic class-default drop end-policy-map class-map type traffic match-any Portal match access-group ipv4 Portal end-class-map 198 of 237

199 class-map type traffic match-any HTTPRDRT match access-group ipv4 HTTPRDRT_ACL end-class-map ipv4 access-list Portal 10 permit icmp any any 20 permit ipv4 any host permit ipv4 any host ipv4 access-list HTTPRDRT_ACL 10 permit tcp any any eq www step 1, session established but TAL fail. RADIUS server log for TAL( failure) Mon Jul 21 16:58: : Info: Ready to process requests. rad_recv: Access- Request packet from host port 29765, id=33, lengt h=233 Cisco- AVPair = "client- mac- address=3c07.545f.c041" Acct- Session- Id = " " NAS- Port = NAS- Port- Id = "0/0/201/99.201" Cisco- NAS- Port = "0/0/201/99.201" User- Name = "3c07.545f.c041" Service- Type = Outbound- User User- Password = "cisco" NAS- Port- Type = 44 Called- Station- Id = "99" Calling- Station- Id = "3c07.545f.c041" Event- Timestamp = Cisco- AVPair = "dhcp- client- id=<\007t_\300a" NAS- Identifier = "Roy_BNG_1" NAS- IP- Address = Mon Jul 21 22:52: : Info: # Executing section authorize from file../etc/ raddb/sites- enabled/default Mon Jul 21 22:52: : Info: Failed to authenticate the user. Mon Jul 21 22:52: : Auth: Login incorrect: [3c07.545f.c041] (from client port cli 3c07.545f.c041) Mon Jul 21 22:52: : Info: Using Post- Auth- Type REJECT BNG session information- unauthenticated and unauthorised with HTTPredirect policy enabled RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber sess al de internal Mon Jul 21 22:51: UTC 199 of 237

200 Interface: Bundle- Ether ip4 Circuit ID: Unknown Remote ID: Unknown Type: IP: DHCP- trigger IPv4 State: Up, Mon Jul 21 22:51: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {IPSUB} IPv4 Up requestors: 0x {IPSUB} Mac Address: 3c07.545f.c041 Account- Session Id: Nas- Port: User name: 3c07.545f.c041 Outer VLAN ID: 201 Inner VLAN ID: 99 Subscriber Label: 0x f Created: Mon Jul 21 22:51: State: Activated Authentication: unauthenticated Authorization: unauthorized Ifhandle: 0x000014e0 Session History ID: 6 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Mon Jul 21 22:51: ] class type control subscriber DHCPv4 do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_DHCPV4_MIN [cerr: No error][aaa: Success] 20 authorize aaa list S99_AAA_list [cerr: No error][aaa: Reject] event Author Failure match- first [at Mon Jul 21 22:51: ] class type control subscriber DHCPv4 do- until- failure [Succeeded] 10 activate dynamic- template HTTPRDRT_TPL_1 [cerr: No error][aaa: Success] 20 set- timer UNAUTH_TMR 3 [cerr: No error][aaa: Success] Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA: None Services: Name : S99_DT_DHCPV4_MIN Service- ID : 0x Type : Template Status : Applied Name : HTTPRDRT_TPL_1 Service- ID : 0x400002c Type : Template Status : Applied [Event History] Jul 21 22:51: IPv4 Start Jul 21 22:51: SUBDB produce done Jul 21 22:51: IPv4 Up step 1.1,Session get disconnected and dhcp proxy binding entry also get cleared if no authentication is completed within 3 minutes RP/0/RSP0/CPU0:Roy_BNG_1#sh subscriber manager disconnect- history unique Disconnect Reason: Subscriber disconnect on Timer- Expiry policy event Disconnect Cause: AAA_DISC_CAUSE_TIMER_EXPIRY (9) 200 of 237

201 Abort Cause: AAA_AV_ABORT_CAUSE_LOCAL_ADMIN_DISC (52) Terminate Cause: AAA_AV_TERMINATE_CAUSE_ADMIN_RESET (6) Disconnect Count: 1 Last Time Disconnected: 2014:07:21 22:54:29 Client: [iedge internal] Last Subscriber Label: 0x f Last Interface: BE ip4 [ Last Session Info ] Interface: Unknown Circuit ID: Unknown Remote ID: Unknown Type: IP: DHCP- trigger IPv4 State: Up, Mon Jul 21 22:51: IPv4 Address: , VRF: default IPv4 Up helpers: 0x {IPSUB} IPv4 Up requestors: 0x {IPSUB} Mac Address: 3c07.545f.c041 Account- Session Id: Nas- Port: User name: 3c07.545f.c041 Outer VLAN ID: 201 Inner VLAN ID: 99 Subscriber Label: 0x f Created: Mon Jul 21 22:51: State: Activated Authentication: unauthenticated Authorization: unauthorized Ifhandle: 0x000014e0 Session History ID: 6 Access- interface: Bundle- Ether Policy Executed: event Session- Start match- first [at Mon Jul 21 22:51: ] class type control subscriber DHCPv4 do- until- failure [Succeeded] 10 activate dynamic- template S99_DT_DHCPV4_MIN [cerr: No error][aaa: Success] 20 authorize aaa list S99_AAA_list [cerr: No error][aaa: Reject] event Author Failure match- first [at Mon Jul 21 22:51: ] class type control subscriber DHCPv4 do- until- failure [Succeeded] 10 activate dynamic- template HTTPRDRT_TPL_1 [cerr: No error][aaa: Success] 20 set- timer UNAUTH_TMR 3 [cerr: No error][aaa: Success] event Timer- Expiry match- first [at Mon Jul 21 22:54: ] class type control subscriber UNAUTH_TMR_CM do- until- failure [Succeeded] Session Accounting: disabled Last COA request received: unavailable User Profile received from AAA: None Services: Name : S99_DT_DHCPV4_MIN Service- ID : 0x Type : Template Status : Applied Name : HTTPRDRT_TPL_1 Service- ID : 0x400002c Type : Template Status : Applied [Event History] Jul 21 22:51: IPv4 Start Jul 21 22:51: SUBDB produce done Jul 21 22:51: IPv4 Up 201 of 237

step 2, http request get redirect to a portal Step 3, CoA request with accont- logon is sent to BNG and triggered an successful authentication to radius

619 UTC RP/0/RSP0/CPU0:Roy_BNG_1#ter moni Tue Jul 22 00:04:32.902 UTC RP/0/RSP0/CPU0:Roy_BNG_1#RP/0/RSP0/CPU0:Jul 22 00:04:49.

202 step 2, http request get redirect to a portal Step 3, CoA request with accont- logon is sent to BNG and triggered an successful authentication to radius server(username=wifi, Password=cisco) debug display on ASR9K BNG RP/0/RSP0/CPU0:Roy_BNG_1#debug radius Tue Jul 22 00:04: UTC RP/0/RSP0/CPU0:Roy_BNG_1#ter moni Tue Jul 22 00:04: UTC RP/0/RSP0/CPU0:Roy_BNG_1#RP/0/RSP0/CPU0:Jul 22 00:04: : radiusd[1117]: RADIUS: Received from id , CoA Request, len 112 RP/0/RSP0/CPU0:Jul 22 00:04: : radiusd[1117]: RADIUS: authenticator CF DD 0E E6 FA D2 D3 27-8F D7 DA 5E AA 32 5D of 237

RADIUS Attributes. RADIUS IETF Attributes

RADIUS Attributes. RADIUS IETF Attributes Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS